Grindr Account System - Session Auth Bypass Vulnerability (Video)
Grindr Account System - Session Auth Bypass Vulnerability (Video)
Due to the successful participation in the bc flex security program the core team discovers today a security video that demonstrates a session auth bypass vulnerability in the grindr account system. The vulnerability has been patched in april next to the end of the bug bounty competition. The issue is that due to the password change the app is allowed to request through the browser the service.
Attackers with a low privilege account can request via POST and intercept the request to get a valid token. After the token has been saved the attacker is able to change the email value. After changing the email value theattacker is able to get access to another users/administrator account. To exploit the bug the session needs to be tampered,the request needs to be intercepted, stoped to store the valid token. After the token is stored the attacker can use a mobile application tamper to inject the new email value. The fail was that the token is not connected to the session itself but the request requires only a valid token. In the password change module were the same problem occurs is no token available in the request that send you through the iOS safari browser to the account system.
Proof of Concept
The session token reset auth bypass issue can be exploited by local low privileged user accounts without user interaction.
Password Change PoC: NO TOKEN REQUIRED!!!!
https://account.grindr.com/user/password?email=Bkm%40evolution-sec.com&locale=de&profileId=44889459
Grindr Bug Bounty Competition 2015 - Auth Bypass old email to email new
Advisory: http://www.vulnerability-lab.com/get_content.php?id=1419
Today's Most Popular
All Time Most Popular
Most Commented Articles
Top Rated Articles
Recent comments
Syndicate
Add new comment