Business Logic Flaw in Guest Purchase Functionality Exposes PII in a Shopping Application.

Hey everyone! 🎉 It’s Saturday again, and I’m super excited to share my latest adventure in web hacking! This week has been a blast as I dove back into learning how to read code. Today, I want to take you through a vulnerability I discovered on Intigriti, a cool bug bounty platform like HackerOne and Bugcrowd. Big shoutout to Jayesh @Jayesh25 for inspiring this discovery—definitely give him a follow!

Let’s break it down step by step! 🛠️

Step 1: What’s the Guest Purchase Feature? 🤔

Many modern shopping applications let you buy products without signing up. This is super convenient! Imagine someone wanting to only buy underwear—signing up might feel a bit awkward, right? With the guest feature, all you need to do is select the option to purchase as a guest and proceed to payment. Easy peasy! 🍰

Step 2: Spotting the Vulnerability 🔍

Now, here’s where it gets interesting! The vulnerability I found is a business logic issue in the guest buying functionality. When a user (the victim) makes a payment and provides personally identifiable information (PII)—like their home address and phone number—the application stores this information in an insecure way. 😱

Step 3: The Core Problem ⚠️

Here’s the kicker: the application allows anyone to sign up without verifying their email address. This means that an attacker could create an account using the victim's email address, gaining access to their PII linked to that email.

To break it down:

• Email as Identifier: The email address is used to identify the user making the payment.
• Lack of Verification: If the application doesn’t verify email addresses during signup, it opens the door for attackers to access sensitive information just by signing up with the same email or phone number.

Step 4: How It Works 🛠️

Let’s look at how this vulnerability can be exploited:

1. Victim Makes a Purchase: A user buys a product as a guest and provides their PII.
2. Application Stores PII: The application stores this information linked to the user’s email.
3. Attacker Signs Up Using Victim Email Address: An attacker signs up using the same email address as the victim without any verification by the application.
4. Access Granted: The attacker now has access to the victim’s PII because it’s tied to that email.
5. Straight To Payment History: That's where the leaked PII are  normally found.
   

Step 5: How Do Attackers Get the Victim's Email? 📧

You might ask, "How do I get the victim's email?" Well, it’s pretty easy! For starters, I just leaked my email at the end of this blog post. If I hadn’t signed up already and you stumbled across the application, you would have access to all my user data. It’s literally that easy! Just leaving your email anywhere can give an attacker the opportunity to sign up and gain access to your information.

Step 6: What Was Leaked by the Application? 📜

You might also wonder what kind of information was leaked by the application. Here’s a rundown:

• My full name
• Home address
• Phone number
• What I purchased
• And drumroll, please... my payment credentials, including my credit card details!

The application does a decent job of hiding the CVV code, but still, it’s a significant security flaw. While it ended up being a duplicate report, it was really fun to exploit! 😄

Step 7: Key Takeaways 📝

Here are some important lessons I learned from this experience:

• Paying for Extra Functionalities: Sometimes, this can lead to bugs. In my case, while it wasn’t a direct payment issue, it was still accepted as a valid bug that could have earned me a reward! 💰

• Verification Matters: This vulnerability only exists if there is no verification in the signup process or if you find a way to bypass the signup page.

• Understand the Flow: Knowing how the application works is crucial; it helps you identify potential weaknesses to exploit.

  
  

Conclusion 🎊

That’s all for now! Thanks for reading, and I hope you learned something valuable—I certainly did! Before I sign off, here are some blog posts you should definitely check out. They’re packed with great insights:

• A blog on excelling in bug bounty hunting by Shubs: High-Frequency Security Bug Hunting
• An excellent post by Intigriti on CSRF: CSRF: A Complete Guide to Exploiting Advanced CSRF Vulnerabilities
• How to get into web security by the legend James kettle: How to get into web security 

 

CONTACT ME

You can find me on Twitter: @richard_onyeka_ 

Feel free to reach out via email: richardonyeka@duck.com

THE THIRD ONE!

Hey everyone! 🌟 It’s been a little while since I last shared my thoughts, and I’ve been diving deep into some fascinating topics lately. I took a break from bug bounty hunting to sharpen my skills in code review—specifically in JavaScript. This week, I’ve been soaking up a ton of information about programming, hacking, AI, and even encryption.

I really didn’t expect to get stuck at times, and I ended up going back to web hunting, which sadly led to a duplicate submission. There’s this feeling I have about needing to be productive and not just learning, especially when I see so many great things happening in the community on Twitter. It can be a bit overwhelming!

I did some work on PentesterLab but got stuck—mostly because I don’t fully understand the difference between let and var in JavaScript. Is let a constant or a variable? It sure doesn’t want to be redeclared! 😂 I’m working on this, and hopefully, by the end of this blog, I’ll have a better grasp of it and javascript although for some reason there is always something more to learn.

Back to PentesterLab, I didn’t want to just breeze through the labs with the help of spoilers without really understanding anything. I found myself stuck and had to reach out to a mentor, Louis (Louis Nyffenegger, the owner of PentesterLab), who was incredibly helpful. He advised me that if I wanted to do well, I needed to focus on the source code and consider that my attack surface, unlike web applications, which are generally easier to deep dive into.

Enough of my rambling! I think I’ll have to separate these blog posts into a Saturday and Wednesday thing so they won’t be too long. My apologies for the lengthy intro, but I appreciate you sticking with me!

It’s Cybersecurity Awareness Month, and just in case you don’t know what cybersecurity awareness is, it’s basically a month where we spread knowledge about cybersecurity information. That’s why our main topic today is on securing our information. And don’t feel that this blog will be all about general topics; it’s mostly about hacking. But since it’s Cybersecurity Awareness Month, one blog post has to go to that. Since I won’t be speaking much on these topics on my Twitter, I might as well make one blog post that emphasizes awareness. Of course, there will also be some bug bounty tips or penetration testing tips at the end that relate to these, so feel free to skip to the end! And obviously, come back up since you would need help and knowledge setting these up.

How to Secure Your Email Address

Before you remove these or skip over,it might be something you have not heard before so stick around a bit.Never judge a blog post by it's second header

Let’s talk about email addresses. They’re like the lifeblood of our digital lives! But here’s the catch: they can also be a way for bad actors to track us down. If your email address includes your name—like firstname.lastname@gmail.com—someone could easily figure out who you are. Yikes!

Imagine getting a phishing email that has your name in it. You might think, “Oh, this looks trustworthy!” But if your email address is out there, it’s a recipe for disaster. So, how do we fix this?

Here’s a Simple Solution!

One great way to enhance your online security is by using DuckDuckGo, a privacy-focused search engine that doesn’t track your searches or store your personal information. It’s all about keeping your online activities private!

And guess what? DuckDuckGo also has a fantastic browser that blocks trackers and keeps your searches anonymous. By using both the search engine and the browser, you can significantly reduce your digital footprint. How cool is that?

Let’s Dive into DuckDuckGo’s Email Relay Feature!

One of the coolest features DuckDuckGo offers is its Email Relay. This service lets you create a unique, anonymous email address that forwards messages to your real email. This way, you can keep your identity safe while still getting important communications. Here’s how to set it up:

1. Visit the Email Relay Page: Head over to DuckDuckGo Email Relay.
2. Create a New Email Address: Click to create a new email address that ends with @duck.com. This will be your anonymous email address.
3. Link to Your Real Email: Enter your existing email address where you want the forwarded messages to go. This way, you won’t miss any important emails!

How to Use Your New Email Address

• Sign Up for Services: Use your DuckDuckGo email address when signing up for services, newsletters, or online accounts. This keeps your real email private and helps reduce spam.
• Receive Emails: Any emails sent to your DuckDuckGo address will be forwarded to your real email, so you can manage your communications without revealing your identity.

Why You’ll Love It

• Privacy: Your real email address stays hidden, which means less spam and fewer phishing attempts.
• Control: If you start getting unwanted emails, you can easily delete or disable your DuckDuckGo email address. You’re in charge! However, I haven’t explored all the potential risks, so be careful—there might be ways that could lead to an email relay address takeover if you where to delete your relay email, allowing an attacker to claim your relay email including your messages. Also, if you delete the relay email, be cautious, as DuckDuckGo may not allow you to reclaim that relay address later. Just something to keep in mind!

Bug Bounty Tip as Promised!

Here’s a little bug bounty tip for you! You might be testing an application and find that a certain functionality requires you to have a paid email. You might think, “That’s weird; my Gmail doesn’t work!” Well, that’s because Gmail isn’t considered a business email. For example, testing@gmail.com is not a business email, but testing@duck.com is! You see where I’m going with this? 😂 You get a free business email, so you can continue your testing without a hitch,you are welcome😂

Final Thoughts

In a world where our digital identities are constantly at risk, taking proactive steps to secure your email is super important. DuckDuckGo’s Email Relay is a powerful tool that enhances your privacy and gives you control over your online presence. Remember, cybersecurity awareness isn’t just a month-long event; it’s a journey we’re all on together. Stay informed, stay secure, and let’s keep learning!

Recommended Blogs to Check Out

Before I sign off, here’s a list of blogs I highly recommend checking out for more insights and tips:

1. PentesterLab Blog: This blog offers valuable insights into why wasting time sometime is okay and even necessary
   

2. Cryptography Engineering Blog: This post discusses the security implications of using Telegram as a messaging app, highlighting its encryption features and potential vulnerabilities.

   3. A path to thrive in bugbounty: These is an awesome blog post on a mental guide to bug bounty,I literally read it these evening and just had to add it in.
   

Thanks for hanging out and reading my ramblings! On the bright side, I finally figured out the difference between let and var. Yay me! Until next time, have fun and take care!