Square: Privilege Escalation

ID H1:29471
Type hackerone
Reporter jayden
Modified 2015-03-28T14:41:07


Hi ,


when a normal user create an account using that link : https://www.bookfresh.com/users/signup/ he will have a freebie account (limited account / free ) . if the user want to get more Features he must upgrade to Team($39.95/Month) or Business($19.95/Month) account .

but there is a bug that allow the attacker to get Team or Business account without paying anything .


1 - goto https://www.bookfresh.com/users/signup/ 2 - after filling the form intercept the registration request (POST request) , there is a paramcalled user[act_type_id] set to be 1 (user[act_type_id]=1) . to get Business account change to 2 . user[act_type_id]=2 to get Team account change to 3 . user[act_type_id]=3 3- submit the request and you will be redirected auto to your dashboard(which is btw not good practice) . with Team/Business Privilege .