loading...
Cover image for Acknowledgement From Jet

Acknowledgement From Jet

muhaddimu profile image Muhaddis ・2 min read

On third March 2017, I visited Jet.Com and by investing a modest measure of energy I discovered a famous vulnerability in their site. It was considered as a Cookie Replay issue that leads to lifetime access of the victim's account. In case you're a security analyst or a bug researcher I generally exhort you to invest as much time in chasing as much you can, and that I learnt from one of my Indian friends.

Steps to Replication:

  1. Goto Jet's Account
  2. Login to Your Account
  3. Get the Cookies using " Burp Suite" or "EditThisCookie" or (AnyBrowser's Extension) Copy All These Cookies.
  4. Logout from the Account
  5. Clear All the Cookies of your Browser related with Jet's Account
  6. Save the Cookies you Copied in a Text File
  7. Now Inject/Import Old Cookies to the Jet's Account by "EditThisCookie" (Google Extension)
  8. As you can see, You will be again logged In to Jet's Account Account using old Session Cookies.

After identifying that report they changed the to triaged and I’m glad to get another bounty, but then they revoked and I was like :|

Alt Text

Following two days the report status changed to duplicate and resolved.

Alt Text

They recognized me by including my name in their Security researcher Hall of fame.

Alt Text

I'll test that site again as I got some time and I'll do my best to locate another interesting vulnerability. I thank Jet for acknowledgement and my thanks to you too for your profitable time.

Posted on by:

muhaddimu profile

Muhaddis

@muhaddimu

Muhaddis is a Web Developer & Security Researcher who acknowledged by top companies including DEV for helping them finding security flaws in their products. He's also interested in cloud technology ✨

Discussion

markdown guide