Bypassing Private Profile Restrictions

So this post is about bypassing the private profile Restrictions on a private program on HackerOne. I will not disclose the program name so lets call it example.com


So I got an invitation to a private program on HackerOne. I created an account on it , it was a file hosting service where you can host all your files.

I started testing it. I created an account and started doing reconnaissance on it as well.
After creating a profile. In setting there were two options Private profile and public profile.
They create a page for a user like imgur does with subdomain. Anyone can visit there and can see some basic info about the user. But if you profile is private, no one can see your profile , your profile picture etc.

So I started looking for some bypass for this private profile restrictions. 

1. If a user visits to a profile image url directly they will be able to download the profile picture of the user even the profile is private. But the image url looks like this https://subdomain.example.com/api/people/1768280b-8a78-463a-bdb9-f1a96835f466/profileImage
So it will be hard to predict this 1768280b-8a78-463a-bdb9-f1a96835f466 random alphanumeric to retrieve the profile picture of the user.
So it was a failed attempt.

2 Now when you login there is a request which goes and in its response there is a id parameter which looks like this "id":"0a7561f5-dcd0-412e-bed3-f5734da4ddbd" and if you change this with the parameter in the 1 an image will be downloaded but it was not the real image of the user.

3. So after further investigation I found that this alphanumeric value is guid of a person.
So I was testing some of the file sharing functionalities in that site.
Now I configured my burp to listen all the request and response coming from it. Whenever a person shares a file with a person who have a private account on example.com there is a parameter in the response which leaks the person guid 

"profileImageUrl":"/api/people/00000000-0000-0000-0000-000000000000/profileImage","personGuid":"efef3e0b-a3b8-4fa9-b548-d23baccc96d1"

Now you can see the value in the profileImageUrl in 000 but personGuid have an interesting value. just change the 000 value with the value in personGuid and you can download the profile picture of the user.

They gave me their account email and told me that please download the profile pic of this account and i successfully did that

The team took about 1 year in fixing this issue. :( 

Thats all for this post 


Thanks
Jitendra K Singh ( Team Computer Korner)


Feel Free To Leave A Comment If Our Article has Helped You, Support Us By Making A Small Contribution, Thank You!