Showmax: delete the subaccount from the user id

Entry in order to delete this sub-profile, you must first create an account. then you need to find the user id and master id of the account that you will delete, you can do a brute force attempt to find it, if it holds, you can delete the child profile of this person or view a lot of information...

Showmax: lack of rate limit on athentification login page & forgot password page

We received a report about missing rate-limiting functionality that is explicitly mentioned as out-of-scope of our security program. Since migrating our backends to AWS, we have no proper rate-limiting functionality in place. Due to complexity of our infra stack, we cannot use the standard WAF...

Showmax: Race Condition Vulnerability when creating profiles

Summary:This report describes a Race Condition Vulnerability which allows a user to create more profile as he wish which contradict your business logic, I was only allow to create six profiles on my account but using this bug I was able to create free 30 profiles. Description: There is a race...

Showmax: Full Path Disclosure in Wordpress Rest API Response

The hacker submitted a full path disclosure vulnerability on our Wordpress site stories.showmax.com. The vulnerability was caused by Yoast SEO plugin and they actually released a fix for the issue today 2021-10-05. Considering the issue was with 3rd party code, the fix for the issue was introduce...

Showmax: xmlrpc.php is publicly available at https://stories.showmax.com/xmlrpc.php

Summary: Greetings @Showmax, i found an xmlrpc.php file on https://stories.showmax.com, it's publicly available and it accepts POST requests. Description: your site is a WordPress site based, xmlrpc.php is a file that is intended to make API calls between hosts, if it's enabled on a WordPress sit...

Showmax: bypass parental pin succesfully

The researcher submitted an URL where our web application wasn't checking state properly and allowed users to see parental PIN settings without any authorization. As result, anyone at the computer was allowed to see and/or change the parental PIN. Update 10/21: This report as well...

Showmax: Parental Pin Bypass

The security researcher contacted us about improper PIN protection authorisation on our content. Showmax users can setup parental PIN protection for different levels of content maturity. If such content is accessed, the user must enter the PIN. It was reported that the PIN protection is easily...

Showmax: WordPress admin is accessible without HTTP authentication

The wordpress instance stories.showmax.com is a complementary system of the Showmax platform. We enforce 2FA for all user accounts that have access to the administration and that's why we decided not to require Basic Auth and/or IP whitelisting for it...

Showmax: xml-rpc file open for public in the domain:https://stories.showmax.com/xmlrpc.php

After the report we reevaluated the need for having xmlrpc.php Wordpress file available publicly on our https://stories.showmax.com domain, and removed it...

Showmax: [stories.showmax.com] Cross Origin Misconfiguration - Sensitive Information Exposure

The hacker reported user enumaration on https://stories.showmax.com/wp-json/wp/v2/users/ and CORS. The user enumeration didn't disclose any sensitive information except usernames which are not problematic because we have 2FA login in place and the usernames could be obtained even from standard...

Showmax: Open Redirect in secure.showmax.com

The hacker submitted open redirect vulnerability in one of our payment method flows. The vulnerability could have been also used to perform XSS attack. write-up: https://medium.com/@ahmadbrainworks/bug-bounty-how-i-earned-550-in-less-than-5-minutes-open-redirect-chained-with-rxss-8957979070e5...

Showmax: Stored blind xss on showmax support team

This report describes a phishing attack. It was performed through html injection into 3rd party chat application and a bit of social engineering. The merit of the attack was in providing html code which was then executed on the support agent side. The code was able to retrieve some cookies and lu...

Showmax: Query string parameter modifications returned in page

NOTE BEFOREHAND: I KNOW it's not located on the core showmax.com domain, but that doesn't effect the applications of this and it still has the same risk. Summary: At https://sso.showmax.com/auth/failure?message=, you can change the message parameter to any text and it will be returned on the page...