From GitHub Recon to Hotstar Admin Access: A Deep Dive into Security Flaws

Explore how a basic GitHub search revealed significant security issues in Hotstar’s admin panel. This write-up outlines the flaws discovered and offers guidance on how to address and prevent similar vulnerabilities.

Hello Everyone I am Vishal Vishwakarma [@rootxvishal] I hope you enjoy it and learn something new from it.

Introduction

Hotstar, one of India’s leading streaming platforms, has gained immense popularity for its extensive library of movies, TV shows, and live sports. As with many large-scale online services, securing sensitive areas such as admin panels is critical. Recently, I discovered a vulnerability that allowed me to gain unauthorized access to Hotstar’s admin panel using a GitHub dork. In this article, I will guide you through the process of how I identified this vulnerability, from initial reconnaissance to the exploitation phase.

Subdomain Enumeration

The first step in my reconnaissance was subdomain enumeration. I used various tools to gather all the subdomains associated with the target website. Subdomain enumeration is crucial for discovering hidden parts of a website that might not be immediately visible.

Here’s a rundown of the tools and commands I used:

1. Subdomain Discovery Tools:

• Subfinder: A powerful subdomain discovery tool that performs passive reconnaissance.
• Amass: A tool designed for advanced network mapping and subdomain enumeration.

Example commands:

subfinder -d example.com -o subdomains.txt
amass enum -d example.com -o subdomains.txt

2. Filtering Live Domains: Once I had a list of subdomains, the next step was to filter out the live domains. I used the following commands to achieve this:

cat subdomains.txt | httpx -o urls.txt
cat subdomains.txt | httprobe | sort -u >> list.txt

3. Extracting Useful Information: With a large number of URLs, I wanted to avoid manually inspecting each one. Instead, I used httpx to fetch the titles and status codes of the URLs, which helped me quickly identify interesting targets.

cat list.txt | httpx -title -status-code -fr -o result.txt

The result file contained valuable information, such as page titles and HTTP status codes, which made it easier to spot potential login panels or other interesting areas.

Finding the Admin Panel

Among the various URLs, one page title stood out: “Admin — Log In”. This was a strong indication of an admin panel that could be a potential target. I attempted to bypass the login panel but was met with no success.

Determined, I moved on to fuzzing directories using ffuf, but this approach did not uncover any new directories or endpoints. Not ready to give up, I decided to delve into the JavaScript files of the admin panel, searching for hidden secrets or configurations. I utilized tools like TruffleHog and SecretFinder but found nothing of interest.

Dorking for Hidden Information

With traditional methods exhausted, I turned to dorking — using specific queries to find hidden information. I used both GitHub and Google dorks, searching for mentions of the admin panel and related data. Some example dorks included:

• org:target
• *.target.*
• “site.com” password

These queries led me to several repositories and directories on GitHub where the URL appeared. In one repository, I discovered source code that included development credentials. These credentials were in Base64 encoding, which I decoded using a Base64 decoder tool online.

Exploiting the Credentials

With the decoded credentials, which included an email address and password, I attempted to log in to the admin panel. To my astonishment, the login was successful. I found myself in the admin panel, where I had access to various critical functionalities

• User Management: Adding and removing users from the platform.
• Ad Creatives: Creating, modifying, and deleting advertising content.
• Billing Details: Viewing and modifying billing information, including advertiser names.
• Request Approvals: Approving or rejecting requests and invoices.

This level of access provided me with complete control over Hotstar’s advertising operations and billing processes, highlighting the critical nature of securing administrative interfaces.

Impact of the Vulnerability

The impact of this vulnerability is substantial and multifaceted:

1. Unauthorized Administrative Control: Attackers gaining admin access can manipulate and control critical aspects of the Hotstar platform, including user accounts and advertising content. This could lead to unauthorized changes that disrupt service and undermine user trust.
2. Financial Risk: With access to billing details and financial information, attackers could commit fraud, alter financial records, or mismanage funds, posing a serious financial threat to the company.
3. Operational Disruption: The ability to approve or reject requests and invoices without authorization could disrupt business operations, causing delays and potentially affecting revenue streams. This could also harm the company’s operational efficiency.
4. Data Exposure: Sensitive data about advertisers and financial transactions could be exposed, risking privacy violations and compromising data integrity. This could damage the company’s reputation and erode customer trust if confidential information is leaked.

Fixing the Vulnerability

To address this vulnerability, several key actions are needed to secure the admin panel and prevent unauthorized access.

Implement strict access controls to ensure only authorized personnel have administrative privileges.

Use role-based access controls (RBAC) to limit what different user roles can view and modify within the admin panel.

Use secure methods such as environment variables or secret management tools to handle credentials and configuration data.

Reporting and Recognition

After discovering this significant vulnerability, I promptly reported it to the Hotstar security team. I’m pleased to share that they responded with impressive speed and professionalism. The team acknowledged the vulnerability, quickly patched the issue, and took steps to enhance their security measures.

In recognition of my efforts and contribution to improving their platform’s security, Hotstar rewarded me with some fantastic swags. It was incredibly gratifying to receive such acknowledgment, and the reward was a wonderful bonus.

I hope you have enjoyed it and learned something new from it, if yes please hit the clap button and to discuss similar stuff connect with me:

Profile Links:

Twitter: https://x.com/rootxvishal

LinkedIn: https://www.linkedin.com/in/vishalvishw10/

Instagram: https://www.instagram.com/rootxvishal/