I am not a bug hunter but whenever I find a vulnerability while messing around I report it without expecting any reward.
You must be wondering why was I testing fotor? Well its a chain of events that I will write about in my next article which will also tell you why I attacked that “import from url” thing at the first encounter.
So I opened up fotor’s web editor and clicked on the import from facebook option
When I tried to include an image from facebook, I noticed that the following endpoint is being used to load the image:
https://gw.fotor.com/netResource/loadImage?url=<url of the picture>
Then tried to include a picture from some other domain to see if they are using some kind of whitelist but it got included!
Okay! That’s some progress, but can it include stuff other than images?
I used my xss.html to check the same and got a download prompt!
I downloaded the file and it was a html file containing the rendered webpage. So what’s next? I decided to test for SSRF and entered the following payload
I got a download prompt again and this time it was their /etc/passwd file.
Great! I knew exactly what to do next. I tried to include to fetch their AWS keys with the following URL:
Boom! Another download prompt and this time it contained their AWS details!
Okay, what else can be done?
I had the same question in my mind so I wrote a python script to make it easier to browse their file system.
After looking for interesting stuff here and there I finally decided to download that jar file and it had a lot of interesting contents and one of them was this
Yep! These are their Facebook, Github, Fotor and OAuth access tokens. I also got the source code of their web app.
I thought its enough and I decided to contact their team. I mailed them and after waiting for 2 days, I decided to tweet to them and their response deserves a triple facepalm
After tweeting a couple of times again, I received this from their side
Alright, looks like finally some security aware guy was handling their twitter account so I sent them the email containing the POC again. And I was kinda of happy because this was the first time I was going to receive something for something that I do daily. I was thinking about buying a pair of shoes that I coudn’t afford before but you know what they did? They patched it secretly which is not a good thing to do.
The issue that I found had some really serious impacts and I didn’t expect a reward in the first place so if they decided to not give it to me that was okay but they could have atleast said, “We patched the issue, thanks for reporting.” but no, they just secretly patched it.
That’s all for now, the next write up is going to be a prequel to this one.
Also Read: How to exploit & bypass CAPTCHA?