Automattic: [] Denial of Service by cookies manipulation

ID H1:1005421
Type hackerone
Reporter fuzzme
Modified 2020-11-29T10:48:55




I have found at two parameters consumer_key && consumer_secret allow to modify oa-consumer_key && oa_consumer_secret cookies values and property.

An attacker can send a malicious link to reset the cookies of, this lead to DOS. To trigger the DOS, the target/victim account need to click a malicious link.

To restore the account, the victim need to delete all cookies on

Similar issues :

Vulnerable Url

Vulnerable Paramater(s)

$_GET['consumer_key']; $_GET['consumer_secret']; $_POST['consumer_key']; $_POST['consumer_secret'];

Steps To Reproduce:

  1. Login at

  2. Go to and create a random application

/!\ if the cookies "oa-consumer_key" && "oa_consumer_secret" already exist the attack doesn't work /!\

  1. After, create your application, click to this malicious following link;;%20Max-Age=1000000000000000000000&consumer_secret=x;;%20Max-Age=1000000000000000000000

  2. Go back to and try to connect to by clicking in "Explore API". You will be redirected to*&source=console and click to authorize

  3. loggout and login at

  4. Try again to connect to your application

You can follow me in the video POC.

Thanks, good bye.


Denial of Service and cookies manipulation