Hi Folks, This is the third part of A brief on Abusing Invitation Systems blog post, In case you have missed the previous parts of this story of write-ups, it is advised to have a sneak peak at the First & Second part before you go on with this post. So before we kick off to our case study let’s get a brief about some technical terms first, I am Ali Kabeel an Application Security Intern at Seekurity and let’s dive in…
In this blogpost we will clarify how we found A tail of vulnerabilities from leaking thousands of Job Applicants CVs and documents online to Path Disclosure and Information Disclosure Vulnerabilities in one of United Nations WordPress websites but first what is United Nations?
The United Nations (UN) is an intergovernmental organization tasked to promote international co-operation and to create and maintain international order. A replacement for the ineffective League of Nations, the organization was established on 24 October 1945 after World War II with the aim of preventing another such conflict. At its founding, the UN had 51 member states; there are now 193. The headquarters of the UN is in Manhattan, New York City, and is subject to extraterritoriality. Further main offices are situated in Geneva, Nairobi, and Vienna. The organization is financed by assessed and voluntary contributions from its member states. Its objectives include maintaining international peace and security, promoting human rights, fostering social and economic development, protecting the environment, and providing humanitarian aid in cases of famine, natural disaster, and armed conflict. The UN is the largest, most familiar, most internationally represented and most powerful intergovernmental organization in the world. –Wikipedia
I am Ali Kabeel an Application Security Intern at Seekurity team. This is Second part of A brief on Abusing Invitation Systems blog post . In this blog post I will be mainly focusing on how I was able “by following the tips and tricks in the previous blog post” to bypass Facebook fixes for 4 consecutive years.In case you are not familiar with concepts, take a sneak peak on the previous blog before continuing with this one ;).
[-] About the Tool:
Trape is a recognition tool that allows you to track people, the information you can get is very detailed. We want to teach the world through this, as large Internet companies could monitor you, obtaining information beyond your IP.
Welcome back again, This is Ali Kabeel in case you don’t remember me read my first blog about Abusing invitations systems.
In this blog we will be continuing our talk about Business logic bugs and how dangerous and simple they can become, I will be showing you one of the simplest yet the most dangerous bugs I have found in the gigantic photo sharing app Instagram but first lets get an overview of some concepts and general knowledge.
I am Ali Kabeel an Application Security Intern at Seekurity team. This is my first blog i hope you like it. In this blog post I will be mainly focusing on Business Logic vulnerabilities by offering some tips and tricks on how to abuse invitation systems using real-world examples from my Facebook Bug Bounty experience but first let’s get a general knowledge about some concepts.
Let me tell you the story about some typical vulnerabilities that was discovered by @Seekurity Team in BMW ConnectedDrive service which will allow any beginner attacker to hijack the whole service!
First what is BMW ConnectedDrive service?
BMW ConnectedDrive – a technology packet full of services and apps that connects you closely to the world around you. It makes tasks easier and quicker to perform, giving you more time for what’s really important: your family, friends and free time.