SnapChat -- Complete payment bypass due multiple issues with stripe subscription ID on SnapChat Acquisition https://playcanvas.com

-

 Company Information : 



Snapchat is an American multimedia instant messaging app and service developed by Snap Inc., originally Snapchat Inc. One of the principal features of Snapchat is that pictures and messages are usually only available for a short time before they become inaccessible to their recipients.


Bug Category : 

Payment Bypass : 

Payment bypass using parameter manipulation vulnerability refers to a security flaw where an attacker can manipulate input parameters related to payment processing in a system to bypass payment mechanisms and obtain goods or services without making a legitimate payment.



Target  Information : 

https://playcanvas.com



Technical Details of the Bug : 

On https://playcanvas.com all the payment requests goes through stripe Payment services. Only credit cards are acceptable for the payment. I found issue with the stripe subscription ID and playcanvas payment flow which leads to complete payment bypass on https://playcanvas.com.
I am mentioning the issues below :

  1. infinite use of Stripe subscription ID :

    If you buy any type of subscription , you get stripe subscription ID to complete the subscription on playcanvas . While testing i found that this stripe subscription ID can be used infinite times. You can use the same subscription ID to subscribe other personal and organisation accounts infinite times.

  2. IDOR on subscription ID working in any playcanvas user account :

    Another issue that i found was the subscription ID can be used in any user account.

  3. Any kind of subscription can be bought from subscription ID :

    No matter fir what subscription you bought and go the subscription ID , it will work on any other type of subscription too.

Vulnerable HTTP Request :

POST /api/users/[user_ID]/complete_subscription HTTP/2 2Host: playcanvas.com 3Cookie: cookies 4User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:109.0) Gecko/20100101 Firefox/112.0 5Accept: application/json, text/plain, */* 6Accept-Language: en-US,en;q=0.5 7Accept-Encoding: gzip, deflate 8Referer: https://playcanvas.com/payment?plan=personal&account=vijayg 9Authorization: Bearer mikyrt03hv5auc8knqn78s02pbb0eq0u 10Content-Type: application/json;charset=utf-8 11Content-Length: 82 12Origin: https://playcanvas.com 13Dnt: 1 14Sec-Fetch-Dest: empty 15Sec-Fetch-Mode: cors 16Sec-Fetch-Site: same-origin 17Te: trailers 18 19{"plan":"personal","seats":1,"subscription_id":"[Subscription_ID]"}


Vulnerable parameter :

Subscription_ID

Steps to reproduce :

In order to reproduce the issue you have to first buy any subscription on playcanvas and capture the subscription_ID. 1.Login from Attacker account and go to account settings. 2.Now buy a new subscription for your personal with 1 seat. 3.Capture the final request as mentioned above and capture the Subscription_ID. 4.Check your purchase will be successful . 5.Now login from Attacker second account and run the above mentioned request with Attacker second account. 6.Change the user_ID to attacker second account and keep the same Subscription_ID from 3rd step. 7.Send the request and you will notice that your payment will be successful and you will be subscribed for free. 8.Now you can use the same subscription ID for organisation account upgrade which is 50$ . Also you can add as many seats as you want. This is how you can bypass the complete payment.


Impact : 

Complete payment bypass due multiple issues with stripe subscription ID https://playcanvas.com(Vulnerable Payment flow)


Timeline : 

April 29th 2023: Report send to Snapchat product Security Team through Hackerone.

May 04th 2023: Report Accepted and Triaged.

May 17th 2023: Complete issue was resolved and confirmed.

Comments

Post a Comment

Popular posts from this blog

Account Takeover Apple App Store Connect Account of Any user and Steal Developer API/Subscription Keys of any user(CORS+XSS) worth 8500$

-
Image
Company Information :  Apple Inc. is an American multinational technology company headquartered in Cupertino, California. As of March 2023, Apple is the world's biggest company by market capitalization, and with US$394.3 billion the largest technology company by 2022 revenue. Bug Category :  Cross-origin resource sharing (CORS) : Cross-origin resource sharing (CORS) is a mechanism that allows restricted resources on a web page to be accessed from another domain outside the domain from which the first resource was served. A web page may freely embed cross-origin images, stylesheets, scripts, iframes, and videos. Stored Cross-site-scripting (XSS) : Cross-site scripting (XSS) is an attack in which an attacker injects malicious executable scripts into the code of a trusted application or website. Attackers often initiate an XSS attack by sending a malicious link to a user and enticing the user to click it. Impact : 1.Stealing  App Store connect API key with Full Access , Subs...
Read more

Amazon Web Services : Takeover Workbook and delete the Owner on https://builder.honeycode.aws by collaborator user (IDOR) worth 7200$

-
Image
  Company Information :  Amazon Web Services, Inc. is a subsidiary of Amazon that provides on-demand cloud computing platforms and APIs to individuals, companies, and governments, on a metered, pay-as-you-go basis. Clients will often use this in combination with autoscaling. Bug Category :  Insecure direct object reference(IDOR ) :  Insecure direct object reference is a type of access control vulnerability in digital security. This can occur when a web application or application programming interface uses an identifier for direct access to an object in an internal database but does not check for access control or authentication. Target  Information :  https://builder.honeycode.aws/ Technical Details of the Bug :  On https://builder.honeycode.aws you can add workbook and add users as collaborator. collaborator have limited access to the functionalities and sharing part. But there is a way which can lead to collaborator to demote the owner , remove him ...
Read more

UnAuth Access to Twitter Private Tweets and messages Media Content Access(IDOR)

-
Image
Company Info : Twitter is an online news and social networking service where users post and interact with messages, "tweets", restricted to 140 characters. Registered users can post tweets, but those who are unregistered can only read them. Users access Twitter through its website interface, SMS or a mobile device app.Twitter Inc. is based in San Francisco, California, United States, and has more than 25 offices around the world. Bug category : Indirect Object Reference(IDOR) Link : https://www.owasp.org/index.php/Top_10_2013-A4-Insecure_Direct_Object_References Technical Details of the Bug :  Applications frequently use the actual name or key of an object when generating web pages. Applications don’t always verify the user is authorized for the target object. This results in an insecure direct object reference flaw. Testers can easily manipulate parameter values to detect such flaws. Code analysis quickly shows whether authorization is properly verified. Bug Des...
Read more