Whenever I download an app, I sometimes like to explore how it works by reverse engineering it (not all apps just the ones that seem buggy). I'm just naturally curious. Anyways, I happened to find a sports betting app where it was legal for me to bet, which prompted me to "explore" it. However, after digging around, I found a vulnerability that shouldn't have existed.
There are various methods to reverse engineer apps. Usually, you have to decompile the app, bypass SSL pinning, and then you can start looking at the code and requests it makes. However, this app didn't seem to have any SSL pinning. I was able to view the requests the app made by just visiting the desktop site and then using developer tools to switch to mobile view. Don't allow this if you're an app developer.
Now that I could see the requests, I started to use the app and see what requests were made. I tried creating accounts, logging in to my own account, or playing around with my profile. It was time to see if I could find a vulnerability.
I started by recreating some of the browser's requests in Node JS. I happened to copy the change bio request and it seemed to work locally. The request looked something like...
So after recerating the request, I started to play around with some of the fields I was passing in. I first wanted to see if an obvious XSS vulnerability existed. Thankfully, to my knowledge, there wasn't one. I did notice that the auth_token field seemed to be related to my public user id. To confirm, I tried loading other profiles and noticed I could easily get their auth_token as well.
What if I could use this auth_token to make requests on behalf of other users? Well, I tried it and it worked. This was a generic case of IDOR (Insecure direct object references). I was really suprised that an app that my friends and I used had such a vulnerability.
I tried to find other IDOR vulnerable endpoints, but changing bios was the only one I could find. I looked for ways to report the bug directly to the company, but I couldn't find any. So, I just changed some of the top profiles' bios to say "follow me on twitter".
This vulnerability has since been patched. I purposely avoided saying the name of the app just in case. I hope that this story shows the importance of making your app secure. It's always suprising when an app used by thousands of people turns out to have such simple vulnerabilities. Overall, this was a fun learning experience for me. Now that I've had a couple software engineering internships, I can see how important security is in the development process. Never forget to check for IDOR vulnerabilities!