YouPorn: Account hijack via deleted PH account

2017-01-29T14:06:25
ID H1:201940
Type hackerone
Reporter cyber-guard
Modified 2017-06-13T16:49:01

Description

The researcher identified a faulty Oauth implementation allowing YouPorn accounts to be hijacked. The researcher exploited a feature which links Pornhub and YouPorn accounts together by leveraging old accounts which were previously deleted, or where username was changed. A faulty Oauth auth implementation allowed to hijack Youporn accounts by registering Pornhub accounts, which were previously deleted, or where username was changed.

It should be noted that in order to exploit this flaw, a potential victim would have to perform multiple of quite unlikely steps, thus the overall impact was much lower than other Oauth flaws, yet the YouPorn team very generously paid out a bounty amount for a full authentication flaw.

Check out the infrastructure monitoring platform BugLabs.me for bounty hunters - https://buglabs.me