Open in app

Sign in

Write

Sign in

How I made 1000$ with AT&T Bug Bounty(H1)

Adesh Kolte
3 min readOct 2, 2019

Hello, Guys, I m back with a new Story on bug bounty, I found this bug last year on AT&T bug bounty program (Now its H1 Program), thought of sharing it

So here I would like to share how I got 1000$ for reporting CSRF vulnerability in AT&T which Leads to user account takeover

here you will get to know the importance of Account Takeover 👊:v:) ,

So here’s how it went on, earlier during my engineering 3rdyear, I had too much free time, That time my daily schedule was like,

Eat-> Sleep -> Bug Hunting -> Repeat

CSRF (Cross site request forgery) is the vulnerability that tricks the user to submit the malicious request if there is no implementation of the Anti-CSRF tokens in the forms or site. When implemented your website https://example.com will include a random generated number or token to every page which is impossible to guess by the attacker so https://example.com will include it when they serve it to you. It differs each time they serve any page to anybody so attacker won’t be able to generate a valid request because of the wrong token.

Vulnerability: CSRF/XSRF (Cross site request forgery)
Severity: Critical

  • The target is https://www.att.com.mx/tienda/customer/account/editPost/
  • Create two accounts csrfattacker (Mozilla) and csrfvictim (Chrome) or you can also test it with one account.
  • After login in both accounts with different browsers go to account settings and click on edit in mozilla.
  • Open any web proxy tool to intercept the request of the profile change
  • We can exploit the form both ways manual/automated but we’ll Use automated exploitation with burp
  • Right click on request and select Engagement tools and click on ‘Generate PoC request’, Here copy HTML and save it as csrf.htm
CSRF Poc
  • change the email id in the html if you want takeover with email. you can use password too for takeover. If you’re trying to exploit manually you can just use one ‘email’ field (Mendatory (*) fields are needed, rest you can delete) and exploit the request.
  • In new tab in chrome open csrf.html and click on submit request and you’ll get victim’s account with Email/Password, to cross verify you can refresh the first tab.

Thank u for reading this article

Got 1000$ Bounty From HackerOne

Have a happy hunting

.

Security

--

--

Adesh Kolte

Written by Adesh Kolte

604 Followers

Listed in Top 100 most respected hackers in the world by Microsoft at the BlackHat conference in America 2018

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams