Hijacked fantasy Cricket platform

Girish Patil

Girish Patil / May 16, 2021

5 min read

What

  1. OTP generation flaws
  2. No strict file upload checks
  3. Hardcoded creds in source code
  4. Enabled directory listing Can do to your product
  5. Take complete control of your servers_website_apps everything and release new versions 😅
  6. Hijack your user’s device
  7. Steal your users data

And it went like this

I just wanted to try their app once, before I did I went to their website. Just browsed around and noticed that they allow users to play on website as well. So I tried signing up, this is where things started getting interesting, As soon as I generated an OTP it took me to “Verify OTP” page and when I tried to enter some wrong OTP, it didn’t even take a fraction of a second to request and respond. It was as though like it was happening instantaneously not he client* 😅. This made me wonder and then the all time swiss knife dev tools came to rescue and when I inspected the network request. I found the holy grail. It was that the OTP was being generated on the client and to verify it the request also had the OTP sent along with it in every verification request that happened. Now that I have noticed such a flaw I started wondering what else might have issues.

So,

  1. I tried entering a different random phone number and used the OTP in the request to login.
  2. Once I logged in I was just going through the whole app. The product overall wasn’t that good as portrayed but I kept browsing looking for something more.
  3. During recon I had got to know that they use PHP. I saw a profile photo uploader in the Profile section. Started playing with it. Uploaded a random photo and went to the location of that rendered image (inspecting img) and my next check was if they had directory listing disabled or not and as you might have guessed already. No, it wasn’t disabled.
  4. My next move was to upload a simple php script and voila, there was not strict check for file uploads and the file was
    1. Moved on the public directory
    2. Whose directory listing wasn’t disabled
    3. and the file was on the same server as the main app
  5. So, now when I visit the php file that is on the public folder, it runs like a php file and this means that you can literally do anything now. Started reading directories, found db connections with hardcoded passwords, in the end it was basically all access to system.

Wait there is moreee to this, after sometime on the same day I went to upload a new script and went looking for it. This is when I noticed a different php file, which was not uploaded by me. It started getting all weird now for me. Opened the link and boom I was like wtf am I looking at more like why the fuck is this here.

It was a a full fledged php web shell. Not just the normal cli exec stuff, but it intact had more sophistication to it. As soon as I had this there, I opened up the cli within this and looked for when the file was created on the server. Come to see it was 5 days (I don’t remember exactly) before the day I was doing this.

Somebody mostly a script kiddy had uploaded this and was accessing whenever necessary ( I could see there were database backups happening). I watched for a day or two then pinged the team about the issues. The problem here is the team (although technical) was not able to understand the level of disaster and were trying to understand what was going on and how to fix it.

My first suggestion was to delete all the php files from the public directory, disable directory listing, add a hard check on file uploads and asked them to call me as soon as this was done so that we can get rest of the things right. The thing I hate the most is I never received a callback, even worse when I went to check up on the php file it was till there after my notification. Funny thing is it was still present after months too. The level of ignorance is completely high here.

This happened about 2 years back and luckily now the endpoints are down, they have changed somethings, but I haven’t revisited them yet. Maybe sometime soon I will go back and check things once again.

Highlight of this post

  1. I was able to access thousands of scanned copies of pan_aadhar_bank passbooks/passport of their users.
  2. I was able to change my prize money and total wallet amount in my account
  3. Send bulk emails/sms
  4. Change the source code of the whole website+app and change the deploy. ( The app was not on any stores as these type of apps are not allowed on either play store or app store) and hence were hosted on their website. If the source code was altered and deployed. It would be another thousands of compromised devices with unlimited possibilities.
  5. Change payment integrations within their app
  6. All in all when you have this situation you can literally do the maximum damage possible to the owners and the users.