Pocket:
Pocket, previously known as Read It Later, is an application and service for managing a reading list of articles from the Internet. It is available for OS X, Windows, iOS, Android, Windows Phone, BlackBerry, Kobo eReaders, and web browsers. The application was originally intended only for desktop computers
The application allows the user to save an article or web page to the cloud for later reading. The article is then sent to the user’s Pocket list (synced to all of their devices) for offline reading. Pocket removes clutter from articles and allows the user to adjust text settings for easier reading.
The Mechanism:
In the Profile section of the Applicatoion, there is an option where a user is able to change his profile details. The mechanism also allows the user to change to change his Passsword but for that, the current password is required. Without entering the old password the changes to the user account are not made. So in this article i will be sharing the method that how i bypassed this protection and changed the password.
Bypassing the protection:
Now we have to change the password to “test” without entering the current password so lets go to the profile settings.
- Open the App
- Select the Gear icon
- Select “Edit Account”
- Select “Change Password”
Now in the current password field we have to enter any random value which we will replace in the next steps, enter “test” in both fields which will be our new password. Now before making any changes we have to intercept the request, i used Burp Suite for intercepting the request.
Once the request is captured, we will have the following parameters and their values:
newpassword(this holds our new password)
password(this holds the value of current password)
access_token
consumer_key
locale_lang
oauth_timestamp
oauth_nonce
sig_hash
password(this holds the value of current password)
access_token
consumer_key
locale_lang
oauth_timestamp
oauth_nonce
sig_hash
Now we will simply remove the “password” parameter from the request and will forward the request. This will bypass the protection, once the “password” parameter is removed there is no validation that the “password” exists or not. Once the parameter is removed our data is submitted which means we are able to change the password without entering the old password. So this is how i bypassed the protection of this app.
Fix / Patch:
There should be a validation when the data is send. Once the data is sent the parameters and values must be validated to check if the “password” parameter exists or not, if it does not exist, the application should again ask the user for the password.
Video Poc
No comments:
Post a Comment