Hello amazing hackers ❤ I hope you are all doing well! Today i’d like to talk to you all about the easiest money i ever made. You will see that reading the manual is always very important. If we fail to do that, we neglect an amazing resource of information and no matter how obvious something seems, we should never assume something works as desribed in the manual.
Picking the program
As always, finding a good bug starts with a good program. [REDACTED] is a business to business application that focusses on HR. As you guys know by now, i adore these kinds of targets and i set off to work as i usually do.
Main app methodology
My methodology always starts with exploring my target very well. Before i can hack something i need to know how it works, and for that all starts with the manual if that is available. These things are goldmines! Not only do they tell you what you can they, they usually also tell you what you can’t do!
As Hackers, ofcourse we want to focus on those things that we are not allowed to do and try to get them to work in some way anyway. This is why we should never assume that whatever the manual says, is how it works.
For [REDACTED] the manual read “You can not deactivate super admin users”. Naturally if something tells me i can’t do what i want, i will let my inner rebel speak and i will try to deactivate that super admin users.
And what do you know… I was able to do just that!
This was possibly one of the easiest reports i had to write .No technical stuff, no complicated steps to follow, just simple good old reporting.
This was my original report with details redacted. Please don’t mind the mistakes.
According to the user manual found here https://[REDACTED].pdf it should not be possible to deactive a Super Admin user. This check however does not seem to be in place and it is perfectly possible to disable an account with super admin role.
“A user with super admin role cannot be deactivated.”
- Register as a [REDACTED] account
- Create a user
- Activate that user via the email that was sent
- Log in to confirm the account works
- Log in as the administrator of the venue again
- Assign them to the [REDACTED] Super Admin role
- Click the 3 dots next to their username
- Deactivate the account
- Try to log in with the user
- “The account for this user is not active. Please, activate the account and try again.”
A malicious admin could deactivate all the super admin accounts, he would be able to kick every other admin from the system. I marked this issue high as i can compare it the most to Privilege escalation since the user is able to do actions he/she should not be able to do with possible siginificant impact.
And that is when the wait began… i reported this on a friday so i had to wait a whole weekend before finding out if i got a duper or not. Everything inside me was screaming it was a dupe!
On monday that dreaded email finally came, i fully expected to see words duplicate due to the simplicity but to my surprise the issues was accepted! It was fixed within a month and i had my 125 Euro’s bounty ❤
I hope you liked reading this amazing hacker friend ❤ ❤