Business logic vulnerability : Permanent Comments lock

Mohamed Sayed
3 min readOct 18, 2024

--

Hey amazing hackers!

I’m Mohamed Sayed (@sayedv2), and today I’m excited to share with you a fascinating story about a business logic vulnerability I discovered in a public bug bounty program.

What is Business logic vulnerability ?

A business logic vulnerability is a type of security flaw that occurs when an application’s logic or workflow is flawed, allowing an attacker to manipulate or exploit the system in unintended ways. This can lead to unauthorized access, data tampering, or other malicious activities.

Let’s start our story

I spent a week hunting for bugs in this program, The program allows you to create a team and invite users with different roles . but it seemed almost secured .

That was until I stumbled upon a feature that caught my attention — the ability to create a board, add items, and engage with team members through a comment section.

Every item contains a comment section that you can communicate with your members and chat with them about the items .

But what really piqued my interest was the option to react to comments .I made a react and intercepted the request and i found a parameter called “reactions” and has a value

The Experiment

I decided to test the react function by intercepting the request and manipulating the “reactions” parameter. I wondered, what if I entered a random value? Would the system accept it? I sent the request, and then… I waited.

The Unexpected Twist

When I refreshed the page, I was shocked to discover that the comment section was now locked — permanently! It dawned on me that any member could exploit this vulnerability to lock the comments, rendering them inaccessible to everyone.

No one can access this page again and the comment section is locked Permanently.

So now any member can lock the comments Permanently and no one can access it again.

The Lesson

This experience taught me that even the most secure-looking applications can harbor hidden vulnerabilities. As hackers, it’s our job to think creatively and test the boundaries of what’s possible. Who knows what other secrets are waiting to be uncovered?

Timeline

14 October 2024reported

16 October 2024duplicate

Follow me on:

twitter / linkedin

--

--

Responses (4)