Hey Hackers!! My name is Krishnadev P Melevila, I am a pen-tester,security analyst and bug hunter. To know more about me, Search my name on Google.
Today, I am here with a public disclosure!
All of us know about Secret Anonymous Messages services which become very popular during the COVID lock down time.
There are many services like Kubool, Secret Message, ngl.link etc….
These 3 are my main targets, In those, Kubool and Secret Message have web apps, While the ngl works on mobile app.
So as I am a web app tester, I started with Secret message first.
How I hacked secret message?
In secret message, How it works is….
3. The server generate a cookie for the user.
4. The server creates a link too
5. The created link can be shared to other members for receiving messages/confessions.
6. Further authentication for the receiver is completely based on the cookie which the server created previously, Using that cookie, any attacker can takeover the user account and read the private messages.
No where is the vulnerability??????
The vulnerbility lies on the cookie.
It just sequential like 4231,4232,4233,4234 etc….
So if my cookie is 4231, Yours may be 4232… So we can easily enumerate every users cookie.
And what if I got it? — That I explained above — Cookie is the only auth factor on this platform, so stealing cookie === stealing user account.
Basically a ACCOUNT TAKEOVER VULNERABILITY.
Now, Kubool!
Kubool is also a similliar web app. But they demand more security. But in pratical, a Big NO!
How kubool works?
Kubool also works on the same way of secret text, But here there is an additional authentication(Useless one)
Steps:
3. Now login with the creds.
4. Now the server generates two cookies, PHPSESSIONID and XK actually PHPSESSIONID cookies are used for authentication purposes, But here after generating the PHPSESSIONID, The server is never revalidating the cookie again on any subsequent requests. Which is a major vulnerability.
Apart from that, The XK cookie is a sequential number like the former vulnerability, Which can be easily enumerated.
So here PHPSESSIONID has no role and by just enumerating that cookie, The ACCOUNT TAKEOVER IS POSSIBLE.
So I can read messages of every user, Can even change passwords too…
Proofs:
And many moreeeee……..
Similarly, NGL.LINK may also be hacked, But as it is android app, I currently dosen’t have pre installed ecosystem for pen testing it. But I am 60% sure, It may have similar vulnerability.
Special Mention:
I need to thank one of my senior, Shahir. He constantly supported and guided me to identify these vulnerabilities, His motivation made me to find this vulnerability.
My first vulnerability on NIC: https://medium.com/bugbountywriteup/exposing-millions-of-critical-data-on-kerala-civil-supplies-website-cc3a4bed5d07
My second vulnerability on NIC: https://medium.com/bugbountywriteup/api-authentication-bypass-on-national-informatics-centre-d438b3bae085
My other bug reports: https://medium.com/@krishnadevpmelevila
Don’t forget to follow me on medium and other social media. Also please give your 50 claps for this write-up and that’s my inspiration to write more!!
I need your support to write more, Buy me a coffee pls: https://www.buymeacoffee.com/krishnadevpm
My Instagram handle: https://instagram.com/krishnadev_p_melevila
My Twitter handle: https://twitter.com/Krishnadev_P_M
My LinkedIn handle: https://www.linkedin.com/in/krishnadevpmelevila/