Resources
People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!
Feeld dating app – Your nudes and data were publicly available
Bogdan Tiron - FortbridgePosted 1 Year Ago- A dating app is an absolute mess in terms of access control. Shocker...
- The first bug really sets the tone - non-premium users can view premium functionality via direct request. In the mobile app, it's just not shown to the user. Classic bug
- After the first vulnerability, it becomes a ton of mostly uninteresting from a technical standpoint access control vulnerabilities. Using IDORs on GraphQL APIs, you can read the messages of others, update another persons profile, get a like from any user, send messages in another persons chat and view other peoples matches were simple IDORs.
- It was possible to view another users attachments as well. This was a fairly standard IDOR except with the URL prepended with
v1bypassed all authorization checks. Fuzzing does wonders when done correctly but this is a fairly weird thing to fuzz for. - The other interesting bug was that attempting to redelete a message, it would return the result of of the message. Why does it save a message after deletion, I'm not sure but it's an interesting case of an IDOR leading to information disclosure in a weird place. This same bug can be used to delete and edit messages as well.
- The main reason I wrote this up was how bad the access control of this was and the impact of it. Sometimes, the things without bug bounties are worth looking at in order to make the world a more secure place.
