ProgramFilesx86.github.io

Follow me on GitHub

Ad portals and the half blood vulnerability

In this page I’ll discuss a vulnerability that I was exploiting and searching for in bug bounty programs (and I still do) but as I mentioned “half blood” its not a vulnerability that could compromise the app or it’s users but it still have to be fixed,

Description :

Before we start, some companies runs “Advertisment portals” out of their core part of the application which gives the users features for them to sponsor their products/apps/posts …etc in the core app, For example Twitter,Google Adsense,Facebook Ads and more over, let’s take Twitter as example, a user wants to sponsor his product at Twitter Core Application so Twitter Ads allows him to create an adverisment and with advanced options like for who this ads will be displayed (gender/age …etc) or where (specific country) then Twitter will display this script (advertisment) in it’s core app to the targeted users and the user (the sponsor) here should pays, The ads portal have different types of ads display and the price differs from each one, these types are known as CPC,CPM,CTR …etc (“Cost Per Click”:means how much you’re willing to pay when someone click on your ad,”Cost Per Mile”: means how much money you’re willing to pay for each 1000 view to your ad …etc) Usually CPCs are the expensive type cause it will brings more customers to your product more than views only, Now it does make sense how the ads gets displayed in the app and why it differs from each type and how these applications works now let’s try to mess up …

The half blood vulnerability:

Does these applications have a strong design or we can really mess up with and publish our CPC ads for CPM price, or even without paying a cent (totally free) ? Yes actually we can violate the whole business logic of the app here and get our ads published for free and we’ll get customers to out products with no cent given, Here’s some examples of bugs I’ve found as Bug bounty Hunter in real world companies but as I said “half blood vulnerability” this have no security threat on the users or the company but it will harmly violates the business logic of the app and the developers should really care about (fix them),

  • There’s no check on the BID : The BID is always the envolved parameter about the money amount (how much you’ll pay) in the ad publishing (I guess it refers to bidding or something similaire), In this acse the ads portal of company I was testing had verification on the client side only if we submitted the ad set to the company with BID equal to “0” it will be accepted and thus will allows us to publish our ad for free

1

the bug was accepted,fixed and paid 500$

2

  • There’s a check on the BID but it’s weak : The BID in this case didn’t allowed values equal or under “0” , this seems secure enough but notice “doesn’t accept values equal to 0”, well “1e-48” is greater than “0” (0.000000000000000000000000000000000000000000000001 > 0 ) does “1e-48$” will be charged from your bank account ? “No” indeed , and when we tried the request accepted successfully

3

the bug was submitted,accepted and rewarded $xxx bounty ,the triager told me we’ve gave you this bounty as “thanks for the report” we don’t consider this as “security issue” after the internal investigation but they’ll add a fix

4

  • There’s an intiger check (intiger only what if … hold on) : As said this time there’s a check, if we submit value under 0,01$ the request won’t be submitted, everything is good 0 , >0,01 aren’t accepted , NULL ? yeah it worked

5

the bug was submitted,accepted and rewarded $100 bounty ,I was about to getpaid as medium here but the developers doubled the secure design already, there was another function in the backend which does not accepts values under 0,01 but they wanted to fix and apperciate my report,

6

These were some cases I found on real companies that runs bug bounty program ,

And big thanks to Yassine,Sohaib,Elmahdi and Ayoub for your support and sharing some of your knowledge with me !!

If you liked the blog feel free to follow me on Twitter for more,

Note: The title was based on a Harry Potter movie title “Harry Potter and the half blood princesse” (it’s not a technical word) :)

Thanks for your time, Hope it helps :)