Wednesday, March 5, 2014

Authorization Bypass in eBay Marktplaats

Marktplaats is a website owned by eBay that allows users to buy and sell products in addition to posting jobs.

The job management feature got my interest. I added a job and played with the job removal feature.

If you click on the remove link, a request like the one below will be sent

 When I pulled the trigger and tried to tamper the jobid to a jobid of another user that I created, it gave me authorization bypass error :-(

So, I  postponed my tampering and moved towards the next step in the job removal process. The next step was the delete confirmation:

When I clicked on the "Delete" button, I tampered the  jobid

 The server responded to me with

It was a 302 status that redirected me to the successful deletion page. We have a vulnerability :-)

This is the normal scenario the app was expecting:

  This is what the attacker can do

Marktplaats fixed the issue and sent me a token of appreciation. I was not rewarded because another researcher has already reported the vulnerability.

Marktplaats bug bounty rules link is on

No comments:

Post a Comment