Hacking Your Application May Be Easier Than You Think

Hacking Your Application May Be Easier Than You Think

In here, I will show you how I Hacked My Coffee Shop and Accessed My Data: Hacking Your Application May Be Easier Than You Think.

I noticed a suspicious behavior on the weekly email from my coffee shop's subscription; it was offering me to edit my preferences directly through a dedicated link. I was able to bypass the cookie and authentication token (no tricks) and was able to reach an account details panel changing password/account email, etc. Essentially the shop was exposed to severe authentication and authorization issues, leading to IDOR of PII (exposure of private identifiable information). On top of that, no CORS nor CSRF mitigations were in place, allowing me to create a malicious link leading to a one-click account takeover.

Disclaimer: I am not suggesting anyone do any testing without clear consent. I noticed a vulnerability as a happy customer of one of my favorite shops and was intrigued by how easily my account could be manipulated. From there it was curiosity that took me further to find the bugs. I tried to keep it to as few "offensive" actions as possible and reported everything in detail to the shop to help them mitigate the risks, offering my help.

How it all started

I have a subscription to one of the best coffee shops in London. I'm being sent a bag of freshly roasted beans once a week, along with an email suggesting I change the preferences of beans or delivery schedule.

I have used the link many times; when I wanted to skip a delivery or push it forward; it was a quick and easy way to access my account. No login barriers or interference - slick and easy customer experience.

For some reason, last week after updating my preference to an earlier shipment as I was out of coffee, I noticed something weird: accidentally removing one character of the link's token did not matter. I was still able to view the contents of my preference, make changes and update my account.


Bootstrap 5 Complete Course with Examples

Bootstrap 5 Tutorial - Bootstrap 5 Crash Course for Beginners

Nest.JS Tutorial for Beginners

Hello Vue 3: A First Look at Vue 3 and the Composition API

Building a simple Applications with Vue 3

Deno Crash Course: Explore Deno and Create a full REST API with Deno

How to Build a Real-time Chat App with Deno and WebSockets

Convert HTML to Markdown Online

HTML entity encoder decoder Online

How to Extend your DevOps Strategy For Success in the Cloud?

DevOps and Cloud computing are joined at the hip, now that fact is well appreciated by the organizations that engaged in SaaS cloud and developed applications in the Cloud. During the COVID crisis period, most of the organizations have started using cloud computing services and implementing a cloud-first strategy to establish their remote operations. Similarly, the extended DevOps strategy will make the development process more agile with automated test cases.

What Is DevOps and Is Enterprise DevOps Any Good?

What is DevOps? How are organizations transitioning to DevOps? Is it possible for organizations to shift to enterprise DevOps? Read more to find out!

DevOps Basics: What You Should Know

What is DevOps? What are the goals it helps achieves? What are its benefits? This article has answers!

Why You Should Be Adopting a DevOps Culture in 2020 - DZone DevOps

The year 2020 has arrived, and its arrival brings a lot of innovations and transformations in the Information and Technology (IT) sector to DevOps technologies.

Measuring DevOps Metrics: A How-To Guide

DevOps is supposed to help streamline the process of taking code changes and getting them to production for users to enjoy. But what exactly does it mean for the process to be "streamlined"? One way to answer this is to start measuring metrics.