there are two logic holes in the official app of blackhat

Posted by tzul at 2020-04-04

If the app or website of an ordinary enterprise has loopholes, it is actually a very normal thing. But if someone tells you that freebuf or wooyun has a hole, the first reaction in everyone's mind must be "hold a wipe, big news"!

The black hat conference will be held soon. As the most famous black hat safety conference in the world, it naturally attracts many people's attention. The app of black hat 2016 allows participants to view their own registration information, meeting arrangement, message notification and a series of information about the meeting. It is worth noting that black hat 2016 app has two very strange logic vulnerabilities, which can be replicated in IOS and Android apps.

Next, let Xiaobian analyze these two logic vulnerabilities for you.

Vulnerability analysis

Email duplicate registration vulnerability:

Generally, when you register through email, you will have a verification, which is mainly used to distinguish whether the email has registered an internet account, but black hat doesn't play the card according to the routine! Suppose that user a has registered the account of black hat 2016 with his own email. At this time, user B didn't want to pay for the tickets, so he registered a black hat 2016 account with user a's email. That is to say, hackers can use the registered email account to register the black hat account again. I'll draw a picture to show you.

Actually, this is just an example. There are many ways to exploit this vulnerability. Please help yourself.

Cookie validation vulnerability:

Generally speaking, when you change your password, the previous cookie value cannot be used any more, and you need to log in again. Black hat seems to be very confident in the security of its app, so after the user changes the password, the previous cookie value can still be used all the time. WTF?! yeah, that's it. One thing to explain is that suppose a's account was stolen by B and logged in to B's mobile phone. At this time, a resets the password of his black hat account. But as long as B does not exit a's account, B can always view all the information of a's balck account. Weak ask black hat, can't session be added in the process of app data transmission? I'll continue to demonstrate it with a picture.

Reference resources