Bug Bounty: Bypassing Account Suspension In order to get full access to account[Mediafire]

Hi there,

In this post I am going to discuss about a bug which I found on Mediafire.
I noticed that Mediafire have a bug bounty program.

What is Mediafire:- 

MediaFire is a file hosting, file synchronization, and cloud storage service based in Shenandoah, Texas, United States. Founded in June 2006 by Derek Labian and Tom Langridge, the company provides client software for Microsoft Windows, Mac OS X, Linux, Android, iOS, BlackBerry 10, and web browsers.MediaFire has 43 million registered users and attracted 1.3 billion unique visitors to its domain in 2012.

There are three types on account on Mediafire 
1. Basic (free) :- Which have some basic level features and a limited storage and Bandwidth.
2. Pro (Paid) :- It has more features as it is paid much larger bandwidth and 100GB Storage.
3. Business (Paid) :- For teams, all Mediafire features like you an add other users , you can customize download page , you can increase bandwidth, you can export folder as zip, you can download the Logs of the users.

As It requires an international credit or debit card to create a Pro or Business , so I created an Basic account for free and started looking at the functionality.

Most features like deleting files, generating one time download link etc are using the Mediafire API. So i quickly looked at the documentation of the API. You can find the Mediafire API Here.

So On login what is happening:-
Whenever you do login to your account it generates a authenticity_token. The life of token is for  10 minutes after that it renew the token using this API call 
but if you session is ideal for 5-7 minutes then you have to enter the password again to renew the token. 

The Bug:-

So actually I was looking at some of their functionality but due to some work I did logout from my account. and after doing logout. It redirected me to a page which says 

This account has been locked.
See our page about account suspensions for more information.

I was like WHAT I DID WRONG ? :(

So as after sometime after completing the work. I came back and tried to login again but after redirecting me to the home page it again redirects to me on that page where it shows that the account is suspended.

Now I fired burp and started looking that what actually going on.

1. After login it generates the authenticity token and redirects to home page 
2. After verifying that this is a suspended account it redirects me to that page which shows the warning.

So I can do anything using the WebApp.
I started looking at the Mediafire API and tried one API call which is about creating a folder using API  http://www.mediafire.com/api/1.5/folder/create.php

Now I copied the authenticity token which was generated during the login and tried to create a folder and It was successful.

I can also access files etc using the Mediafire Android App.

So what is actually happening that API is generating the token but not invalidating it after confirming that the account is suspended and using the API I can access the most of the features of Mediafire.

So Now as a fix Mediafire invalidates the token as soon as they confirms that the account is suspended. and using the mobile application you can't use any features with suspended account. 

Disclosure Timeline
27-Feb-2016: Reported
9-Mar-2016: First response received > Looking at this report
14-Mar-2016: Bounty Awarded(Certificate and pro account)
15-Mar-2016: Resolved
27-Feb-2017: Disclosed

Jitendra K Singh (Team Computer Korner)

Feel Free To Leave A Comment If Our Article has Helped You, Support Us By Making A Small Contribution, Thank You!

1 comment: