Wednesday, June 23, 2021

Generate online votes using Race Condition Vulnerability in Woobox Web Application (Write Up)

Good day Readers,


In this post I will show you how I found a simple Race Condition Vulnerability in Woobox. It affects their customers that used their platform for online voting contest. 

Early of December 2020 while watching a Valorant stream on Twitch, the streamer said that she is nominated for a contest operated by Riot Games and she gives the link of the contest on her stream chat.

As a viewer of her stream, I opened the link of the contest and tried logging in using my Google account and voted for her and I noticed that you can only vote once on your account so that means only one streamer in every account. Since I'm doing a recon that time and curious about the voting system, I tried logging in again with my other account and tried voting again but before I click on her profile to vote, I captured the request using Burp to see how the voting feature works and what program they are using.

After intercepting the request I noticed something interesting. I tried sending the request to the repeater and started checking every parameters of it and one of the parameters caught my attention after a few analysis. I noticed that one of the parameter is the one that adds a number of vote after clicking the profile of the streamer and the other interesting thing is that there is no user authentication after repeating the request though if you will do it without intercepting, you can't vote multiple times with one account but due to the vulnerability I noticed that I can vote many times using one account when intercepting it.

So my idea is to send the request to intruder and automate that request and surprisingly it works and the streamer that I voted increased her votes instantly and within a few minutes by just automating the request. (and btw she won the contest)

So long story short, I found a Race Condition Vulnerability on Woobox which affects their customers that used their platform for online voting contest. An attacker can manipulate or generate votes by automating because it lacks user authentication. I tried contacting Woobox and the Website that runs the contest but got no response from both sides.


--Proof of Concept--


Below is the actual video demonstration of the vulnerability.



--Timeline--

Reported: Dec 7, 2020
Opened a Disclosure Assistance on Hackerone: Dec 21, 2020

But no response from Woobox and H1 Disclosure Assistance so I decided to publish this writeup.


I hope you enjoy this write up, stay safe and have a great day y'all!


"At the end of life, what really matters is not what we bought, but what we built; not what we got, but what we shared; not our competence, but our character; and not our success, but our significance. Live a life that matters. Live a life of love"

1 comment: