In July 2023, I received an invite of a significant bug bounty program, with massive assets in-scope, my approach mirrored what I typically do when testing such extensive programs — searching for old endpoints using specific Google Dorks.
After digging and experimenting with various dorks, I discovered a subdomain dedicated to storing user orders.
https://orders.privateprogram.com/webapp/wcs/stores/servlet/OrderView?orderId=002233893
I visited it, but of course, I got a forbidden error.
I wanted to see if there were more endpoints, so I saved that one for later and use the Wayback Machine.
Using the Wayback Machine. I found this new interesting endpoint:
https://orders.privateprogram.com/webapp/wcs/stores/servlet/MailOid?orderId=003163553&mailId=a1c156c4–6c4a-4bf9–9a17–2c5bvcdf6ec1
I requested it and received a ‘200 Ok’ response, but it returned a blank page. Upon inspecting the response, I noticed the server was setting cookies each time I sent a request.
HTTP/1.1 200 Ok
.
..
...
Set-Cookie:WC_PERSISTENT*=*************************
Set-Cookie:WC_AUTHENTICATION_*=***********************
Set-Cookie:WC_USERACTIVITY_*=*************************
...
..
.
If you are familiar with these cookies, you know these are actually authentication cookies.
So, I tried to see order 003163553 with those cookies
https://orders.privateprogram.com/webapp/wcs/stores/servlet/OrderView?orderId=003163553
And it worked! I gained access to that order. I speculated that the mailId might serve as a security key for accessing orders. To test this theory, I attempted the same exploit with another orderId I had found during earlier Google dorking (order 002233893, remember?) and managed to access it as well.
https://orders.privateprogram.com/webapp/wcs/stores/servlet/OrderView?orderId=002233893
While the mailId apparently tries to act as a security key, it works as the security key for all orders and will grant you access to any order as long as it is valid and present when requesting:
https://orders.privateprogram.com/webapp/wcs/stores/servlet/MailOid?orderId=<anyorder>&mailId=a1c156c4–6c4a-4bf9–9a17–2c5bvcdf6ec1
To summarize, if I wanted to access, let’s say, orderId 002143893, my initial step would be to request the following in order to obtain the cookies for that specific order:
https://orders.privateprogram.com/webapp/wcs/stores/servlet/MailOid?orderId=002143893&mailId=a1c156c4–6c4a-4bf9–9a17–2c5bvcdf6ec1
I will get a blank response, but the server will provide me with the cookies for that specific order.
HTTP/1.1 200 Ok
.
..
...
Set-Cookie:WC_PERSISTENT*=*************************
Set-Cookie:WC_AUTHENTICATION_*=***********************
Set-Cookie:WC_USERACTIVITY_*=*************************
...
..
.
Now that I have the cookies, I can now access order 002143893
https://orders.privateprogram.com/webapp/wcs/stores/servlet/OrderView?orderId=002143893
This vulnerability could have allowed an attacker to access anyone’s order, comprising sensitive details such as Payment Method, Contract PDF, Billing & Shipping Address, Email Address, Phone Number, First and Last Names, potentially exposing information of 3 Million People.
As you can see, Google Dorking and the Wayback Machine were the key to find this issue.
After the Security Team Investigation, they believed this vulnerability was never exploited.
Timeline:
Reported → July 19th 2023
Triaged → July 20th 2023
Max Critical Bounty + Bonus Awarded → July 24th 2023
Fixed → July 24th 2023