He constantly supported and guided me to identify these vulnerabilities, His motivation made me to find this vulnerability.
I need to thank one of my senior, Shahir. But I am 60% sure, It may have similar vulnerability. Similarly, NGL.LINK may also be hacked, But as it is android app, I currently dosen’t have pre installed ecosystem for pen testing it.
Click on Get started and then register and login. Kubool also works on the same way of secret text, But here there is an additional authentication(Useless one) So if my cookie is 4231, Yours may be 4232… So we can easily enumerate every users cookie.Īnd what if I got it? - That I explained above - Cookie is the only auth factor on this platform, so stealing cookie = stealing user account.īasically a ACCOUNT TAKEOVER VULNERABILITY. Further authentication for the receiver is completely based on the cookie which the server created previously, Using that cookie, any attacker can takeover the user account and read the private messages. 
The created link can be shared to other members for receiving messages/confessions.Ħ.
0 kommentar(er)
