Breaking Instacart

Instacart is an American company that operates as a same-day grocery delivery service. Customers select groceries through a web application from various retailers and delivered by a personal shopper. As of 2017, Instacart only has operations and services in the United States. [1]

Instacart has a bug bounty program on Hackerone, you can learn more about it at https://hackerone.com/instacart. I’ve reported multiple valid security issues(ranked #2, https://hackerone.com/instacart/thanks ), this one is worth sharing.

Instacart has a hiring section for shoppers https://shoppers.instacart.com/, where a potential candidate can enter his details and set up a meeting.

The Auth part was this section was the interesting part.

One day I received an email which said “set up your meeting”, I clicked the linked and it logged me in without asking any credentials.

After breaking down the Auth link, found out it was GET request with pin code, phone number, and a verification code which was in the format

https://shoppers.instacart.com/applicant_login?code=PINCODE+MOBILE+CODE

The login process from the ‘sign-in’ page required an OTP sent to the registered mobile. Tried to log in multiple times from the login page, surprising part was getting the same OTP every time.

In order to show the impact, the attack must be applicable to all accounts.

Obviously, the first attempt would be brute forcing the login form with known mobile number and as the verification code consists 5 digits. We can start from 00000 to 99999 but that didn’t work, got blocked by rate limit after certain attempts.

As it was a GET request, one can brute force the URL itself. Just brute force the code part for a known number in the URL

https://shoppers.instacart.com/applicant_login?code=PINCODE+MOBILE+CODE

And it worked!

Though the whole attack depends upon a known pin code and mobile number, Instacart accepted the report as medium severity and paid their highest bounty of that time.

Later, Instacart replaces the auth part with Twitter fabric.

Thanks for reading. If you have any suggestions or feedback, feel free to reach out on Twitter

Manish 🙂

Reference:

  1. https://en.wikipedia.org/wiki/Instacart
Advertisements

Hacking Google for fun and profit

I have been doing bug bounties since September 2013(Asana was the first), participated and qualified in almost all bug bounties at least once. My bucket list had Facebook, Yahoo, Twitter, Dropbox, Github and 100+ such sites (including couple of YC Startups ) but Google VRP was tough nut to crack. I always wanted to start my bug bounty story with Google, but failed in past with few duplicates.

I was watching 2016 Google I/O, Firebase was the main focus. I had reported couple of security issues when they were quite young. Got a mini box full of stickers, bands and hot souces for my contribution.

fb

So when I saw Firebase got a new site that too on a *google.com(https://firebase.google.com/),  it all came back to me.

The minimum bounty on Google main domain(*.google.com) is $500, more than that you’ll get your name in prestigious Google Hall of Fame.
Continue reading

Understanding CSRF attacks

 

What is CSRF ?

“Cross-site request forgery, also known as one-click attack or session riding and abbreviated as CSRF (sometimes pronounced sea-surf) or XSRF, is a type of malicious exploit of a website where unauthorized commands are transmitted from a user that the website trusts.” – Wikipedia

CSRF is at 8th position in OWASP top 10 bug list. Usage of frameworks like Django, ROR reduces the risk of CSRF to a large extent but it is still there. Also, it is carried out from user’s IP address, website’s logs will have no evidence.

Examples of CSRF:

CSRF comes in all shape and sizes. Dangerous one can take over an account, minor one can destroy your session or log you out.

Every request that change state on server should have CSRF protection.

It can be an email change or addition of user details like a bank account.
Continue reading

Web application security checklist

I printed out my Asana task list of web app security testing,hopefully you’ll find it useful. OWASP 10 are the starting points of web testing, followed by other not so common issues.

Comments inside my task list are more helpful(provide various attack scenario and test cases) but Asana don’t export  comments while printing, maybe I’ll write a proper short guide explaining all the points in future. Stay tuned on my twitter for further updates.

Here is the PDF of Security task list

security_checklist

Thanks

Manish (@umenmactech)

 

How I made $2000 in 15 minutes

When I am not hunting I read about startups ,what’s happening in valley. I check their site , as a security guy I cannot control myself from checking their security. In the process , I came across this accounting web application (they are quite famous and making big bucks, I won’t take the name as they might get disturbed after this post. ) I was just testing for common bug XSS,CSRF and all regular stuff. 55013960   Every field was vulnerable to XSS and every form was vulnerable to CSRF as  token was not validating . Used Contact Us section from the site. Some non-technical lady replied “Thanks for contacting us , we don’t have any reward scheme or anything” .   55014089     Let’s give it one more try, this time I used About US page, googled the name of the engineer , found his Github  account and found his gmail there. He was really nice to me. test       Later we had Video chat on Skype , he was explaining me things ,asking me about my background.He was impressed. Following is a copy paste from the original POC that I sent back then   1. XSS:- javascript is not  filtered ,hence any arbitrary javascript code can be executed. Hence with document.cookie , a user’s cookie can be stolen ,that can lead to full account take over. Continue reading

An Introduction to SEO

Last week , We had our first company campus drive of the season. We all were excited. There were 3 job profiles , one of them were SEO executive. I had some know how of SEO , I was confident enough to grab this position because  my site has google page rank 5 and  I have  a “Certificate of Honor” in SEO

test

I was like:

8646a37ecf010eb8de3efd57d8f5af67

Although I got the Offer letter

test

but they made me uncomfortable during the interview so I thought let’s get prepared , here is some of the basic things you should know about SEO as internet user.

SEO stands for Search Engine Optimization . SEO are the techniques one use to get his site on top in a search result. If your is on top in  search result, users are more interested in visiting those top sites that means more traffic ,more user and more money.

For example: when you do a search for Manish Bhattacharya ,you will see something like this

testThe search result bring my site on the top , although there are other sites which have my information but my site is on top ,hence you if have to know more about me you will visit my site rather than visiting other random sites.

Now how SEO is done ? SEO require some optimization in code and contents. You should be aware of Keywords ,in last example Manish Bhattacharya was the keywords. Keywords are stream of words user search on search engine (google). You should be aware on what keywords you are focusing , suppose if you have selling mobiles phone in Delhi, so your keywords should be strong enough to pop up your site when user search for “Mobile phone store in Delhi”.

Other determining factors are your domain name, your site’s title and meta descriptions. Meta descriptions are information about the site that you see in search results. Here it is :

test

Meta descriptions and keywords can be added using Meta tag , inside <Head> after <title> like this

test

One of the questions I remember from the interview was the maximum length of Meta descriptions and keywords.In general maximum sizes are

  • Page Title – 70 characters
  • Meta description – 160 characters
  • Meta keywords – No more than 10 keyword phrases

SEO does not end here , your URL structures for e.g. default URL setting for any wordpress site is like php?id= some post id , a url with content descriptions is suggested for better SEO something like this “https://introvertmac.wordpress.com/2014/09/18/getting-into-github-leaderboard/&#8221; ,make your site easy to navigate , a better robots.txt and site map really helps a lot.

Also optimize your anchor tag and image tag, using title and alt in <img is suggested for better SEO. Using Heading(<h1>,<h2>…) Tag properly is a plus.

Other questions that I remember was “Types of SEO and what are Panda,Penguin,EMD “.

There are two types of SEO:

  1. White Hat
  2. Black Hat

White hat are the techniques that are suggested by the search engines to improve your page ranking while black hat are techniques that use weakness of ranking algorithm to rank them on the top.You can read more on this here.

Humming Bird,Panda ,Penguin,Venice and EMD are the names of Google search result algorithms .

There are other terms that you should know about SEM(search engine marketing),PPC (pay per click) and more. Hope I’ll share more with you on this. Here’s some suggested further reading if you are interested:

  1. http://www.searchenginejournal.com/maximizing-your-meta-tags-for-seo-and-ctr/
  2. https://econsultancy.com/reports/seo-best-practice-guide
  3. search-engine-optimization-starter-guide

This is just an introduction , SEO jobs are high paying even SEO experts makes millions just by freelancing.Neil patel ,Hiten Shah are some well known name in this business.

logging off..

@umenmactech