Easiest Full Account takeover technique got me a Swag.

Ravaan
3 min readMar 6, 2023

--

Intro:

So I was lucky to be invited to the IWCON 2.0. I had a few invitations for me and my team so I forwarded a mail when suddenly the inner hacker wanted to hack the host of the IWCON 2.0- AEROMeET. Having previously reported a P1 bug and getting no response, I did not have many expectations but you know. This is a story of I took over an account, discovered a bug taking over several accounts within 5 min, and got swag for it!

Discovery:

So I get a email, for registration. Something like this: Focus on the link.

Here once i clicked the link, it automatically verified me and asked for a username. Really nice!

No Signup is required, just the invite. Well, thats sweet but since you know I have made a tool that basically gets all waybackurls in a better way and scans for sensitive stuff.

I did not run it because I was using my phone, so What I did instead is simply go to wayback machine and put the redirected link. I come across that they are using SendGrid which is basically an Email delivery server. So if users get auto-authenticated and its sent via Email. Can we just use the specific server we discovered and do a Gau search on it?

Turns out yes, and as suspected, few users pop up. I take over the account simply by clicking the link. I try a few Idor combos on the other AEROMEET SendGrid server and they also work and I get more users .

Pretty cool, since I dont link this AEROMEET company due to having no response for a more severe bug in past, I simply ignore it for a few days but then I thought, lets report it for the sake of the users.

I find that AEROMEET is using a new bug bounty platform, sweet and I report it immediately.

THE HAPPY ENDING:

I report it and here im leaking my Report, with confidential information removed:)

And after a few days, i forget about it and I continue my work, I get an unexpected reply from AEROMEET informing:

So I get the T-shirt. It's really Nice ngl but I rather spend time with useful bugs, this bug easily is worth $5000+ so never expect less if you’re doing this for money.

Btw here's the T-shirt.

Haha this company asked me to remove it.

Next blog will be about CVEs and Exploits. Let me know if you’re interested in that or more writeup of bugs or Blackhat stories.

End of the day, pretty good for 5 min of work and 5 min of report writing. I have several other bugs which I discovered in the past with this company, Ill be slowly reporting them when I need extra t-shirts for summer. Hope you liked the writeup/Blog, CLapping more than once gives you luck for future bugs, HAHA! .. Signing out- RAVAAN;)

PS: The company contacted me to remove this. So I had to remove most of the details related to the company.

--

--

Ravaan
Ravaan

Written by Ravaan

Red Teamer/BBHH. APPLE HOF ADOBE HOF, Governments to fortune 500 companies, UN. Reaseacher/Malware. CVE Hunting. Bookworm. CEH(prac)

Responses (3)