How i deleted your zomato account !

Hi, friends :D,

Zomato is an online restaurant search and discovery service providing information on home delivery, dining-out, cafés and nightlife for various cities of India and 21 other countries. It has 62.5 million registered users.

I was catched by it soi was messing around with zomato now while checking out the settings section i found the “delete my account ” option and after clicking on that a prompt will occur like this

  zomato hack

Now to delete the account you have to type delete inside it and confirm! but there was a flaw there was no csrf token available to validate the request!.

What is CSRF TOKEN ?
CSRF token is a protective measure used to prevent cross site request forgery attacks which checks that the request is coming from the legitimate user or not !

Now Exploitation Part 
I created a quick working code which allows you to delete the any user’s account so now to delete his or her account you just need to send this code via html or as a link. 😛

<form action=” method=”POST”>

<input type=”hidden” name=”reason” value=”woot woot”>

<input type=”hidden” name=”userid” value=”[User ID to whom you wanna delete]”>

<input type=”submit”  value=”Submit request”>



Video Poc :
save this as delete.html and send this to your friend!


it was easy to grab any user  ==>userid by just visiting their profile and copy that user id. Which increased it severity 😉

Fixing Time line:

[+] July 21, 2015 Reported to Support team

[+] Bug Fixed by team .

Let #internet be #safer place 🙂

Cisco Meraki ajax based csrf

Hello friends 🙂 This is the writeup of my  Cisco Meraki findings  .I was just 😉 trying the different platform for a change  so i logged in  and was playing the game of request and resonse so after few back and forth of requests it was clear that’s its  an ajax based web app  now i started trying for standard security issues like xss, csrf ,injections etc . so finally i got one in which i was able to disconnect the admin from his own account .

when you will remove the token from the ajax request still request was getting completed so i checked again and it wasn’t validating the xsrf token so it was a csrf

[+]Poc Challenge
Thing is  that you can easily create poc via burp for those web apps which are sending their anti_csrf tokens via their body but sometimes you have to struggle for those web app who send their csrf tokens via header specially ajax based like “X-XSRF-Token”:”value “;

So now i have to create the Poc manually so i coded this
var request =new XMLHttpRequest();‘POST’,”url”,true); // the post url where the  web app was sending the data       //request for removal


but ajax has its own security policies to be satisfied first  !
Same Origin Policy on AJAX

The same origin policy dictates that an AJAX object’s ability to fully communicate on the user’s behalf is possible assuming the following conditions are met
: ►The protocol used by the AJAX object must be identical to the protocol of the origin page.
► The target port of the AJAX object must be identical to the port of the origin page.
► The domain of the host and the domain of the AJAX object’s target host must be identical

the only thing to do was to use overly permissive browser  ===>  IE
So it worked

Video poc :


[+] Fixed

Hope this write-up  was helpful

Insecure Data Storage (Access Token exposed) Instagram

Hello friends this was the issue i founded during my security research while  reversing the instagram app .

during analysis i went towards the juicy part “shared_pref.xml” and hopefully it was having something for me 😀 i digged furthur and founded that it was leaking the fb_access token in clear text  :O i then i tried to check what can be its impact but before doing that i checked the validity of the token and related permission to it . so i opened up the facebook graph api explorer and paste that fetched token in the api and debugged it and other interesting things which i founded were that it was having publish actions ! and long existing time of (2 months ).

So why this is an issue ?

According to OWASP
It is important to threat-model your mobile app to understand the information assets it processes and how the underlying APIs handle those assets. These APIs should store sensitive information securely. Places OWASP most often sees data being stored insecurely include the following:

  • SQLite databases
  • Log Files
  • Plist Files
  • XML Data Stores or Manifest Files
  • Binary data stores
  • Cookie stores
  • SD Card
  • Cloud syncedLet me give you a scenario that .
    attacker will install a malicous app inside the victims device and that app will fetch that XML FILE which is having the access token and can remotely send the attacker those tokens and by which attacker can do evil stuffs with the victims etc .

Let me give you a scenario that .or possible explanation.
attacker will install a malicous app inside the victims device and that app will fetch that XML FILE which is having the access token and can remotely send the attacker those tokens and by which attacker can do evil stuffs with the victims etc.

so it was a insecure data storage issue
i immediately reported to facebook about this issue and was waiting eagerly for their reply 😀 .

[+] Tested on 4.2 jellybean android emulator .
Tools used :
[+]Reported on 11 December 2014 14:33

Video poc :

And this was the reply

Facebook security : If your device was rooted ? then its not our issue  !


They rejected this issue just because i tested it on the emulator its my fault it comes pre rooted ? and i was like

But still i was not happy with their answer and tried to explain furthur this time some core member of their dev team replied me this

“we appreciate your report but currently I’m going to close out this report. If you feel you have more information to add, feel free to reopen it and add that information.

and they closed it again .

so , later on i asked twitter security team about the same context issue ?

Ans: Hi vishwa thanks for reaching to us we don’t have any issue regarding to the context of device being rooted . if you got any serious issue then we are in eager to hear that .

twitter dev team .

Similarly i went through the yandex security team and their reply was the same as twitter regarding to the context  .

so this was all guys

thank you for reading this  better luck next time #never give up 🙂