In this page I’ll discuss a vulnerability that I was exploiting and searching for in bug bounty programs (and I still do) but as we agree its not a vulnerability that could compromise the app or it’s users but it still have to be fixed cause it effects the company’s integrity and it results for financial damages,
Ad portals and the half blood vulnerability
Cause it does not have a direct significant threat, I'm calling it the “half blood“ vulnerability
Before we start, some companies runs “Advertisement portals” out of their core part of the application which gives the users features for them to sponsor their products/apps/posts …etc in the core app, For example Twitter,Google Adsense, Facebook Ads and more over, let’s take Twitter as example, a user wants to sponsor his product at Twitter application so Twitter allows him to create an advertisement and with advanced options like for who this ads will be displayed (gender/age …etc) or where (specific country) then Twitter will display this script (advertisement) in it’s core app to the targeted users and the user (the sponsor) here should pays, The ads portal have different types of ads display and the price differs from each one, these types are known as CPC,CPM,CTR …etc (“Cost Per Click”:means how much you’re willing to pay when someone click on your ad,”Cost Per Mile”: means how much money you’re willing to pay for each 1000 view to your ad …etc) Usually CPCs are the expensive type cause it will brings more customers to your product more than views only, Now it does make sense how the ads gets displayed in the app and why it differs from each type and how these applications works now let’s try to mess up …
There’s no check on the BID : In Quora, the BID is always the involved parameter about the money amount (how much you’ll pay) in the ad publishing (I guess it refers to bidding or something similar), In this case the ads portal of company I was testing had verification on the client side only if we submitted the ad set to the company with BID equal to “0” it will be accepted and thus will allows us to publish our ad for free
The bug was fixed and paid,
There’s a check on the BID but it’s weak : For Twitter logic, The BID in this case didn’t allowed values equal or under “0” , this seems secure enough but notice “doesn’t accept values equal to 0”, well “1e-48” is greater than “0” (0.000000000000000000000000000000000000000000000001 > 0 ) does “1e-48$” will be charged from your bank account ?
“No” indeed , and when we tried the request accepted successfully !
The report was sent and paid as well
There’s an integer check, but does it means it’s safe ? : For Reddit that was the most interesting case I’ve came across, As said this time there’s a check on the BID, if we submit value under 0,01$ the request won’t be submitted, everything is good X != 0 , X>0,01 the requirements, How about escaping the box !
well yes it expects an integer but what if we send something that is not an integer, but it can treated as integer, That was enough for me to submit the value of the BID as '“null” I assumed the backend will indeed accepts the request, and null will means 0 for bank transfers, our assumption was right and in place
That’s it for now, I hope you enjoyed reading this and learned something at least !