Binary.com: login to any user's cashier account and full account information disclosure

2015-11-06T12:03:55
ID H1:98247
Type hackerone
Reporter zombiehelp54
Modified 2015-11-14T21:36:47

Description

Hi , I have found an issue allowing an attacker to login to any user's cashier account and view sensitive user information by just knowing the user account ID.

Steps to reproduce:

  1. open 2 browsers and create 2 accounts , login with each account on a browser.
  2. let's call account 1 , the victim and account 2 is the attacker.
  3. from the victim account , make sure you are using real account and then go to https://www.binary.com/cashier then click Deposit then click Continue.

  4. From the attacker account go to https://www.binary.com/cashier then click Deposit then click Continue.

  5. Now you'll see your cashier account , inspect the page elements using your browser inspector then find the <iframe> tag with the id attribute cashiercont. it will look like this :

<iframe src="https://cashier.binary.com/login.asp?Sportsbook=Binary (CR) SA USD&PIN=CR342435&Lang=en&Password=0e552ae717a1d08cb147f132a31676559e3273ef&Secret=1328d47abeda2b672b6424093c4dbc76&Action=DEPOSIT" frameborder="0" width="100%" height="2000" id="cashiercont" scrolling="auto" style="padding:0px;margin:0px;"></iframe> 6. Edit the <iframe> element and Change the PIN parameter value to the victim account id value so it should be like this after the edit:

<iframe src="https://cashier.binary.com/login.asp?Sportsbook=Binary (CR) SA USD&PIN=<VICTIM_ACCOUNT_ID>&Lang=en&Password=0e552ae717a1d08cb147f132a31676559e3273ef&Secret=1328d47abeda2b672b6424093c4dbc76&Action=DEPOSIT" frameborder="0" width="100%" height="2000" id="cashiercont" scrolling="auto" style="padding:0px;margin:0px;"></iframe> 7. Now you have successfully logged in the victim's cashier account , to view the victim account details , click the cashier button then next to the customer name click the view link and you'll see all the account details of the victim , including Full name , email and phone number which are the most sensitive here since they can be used in phishing.

Please tell me if you are having any issue reproducing this. Thanks