Open in app

Sign up

Sign in

Write

Sign up

Sign in

Home

Following

Library

Stories

Stats

Mastodon
InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. Subscribe to our weekly newsletter for the coolest infosec updates: https://weekly.infosecwriteups.com/

Follow publication

Webinar Pro or Not: The $500 Access Control Bug

Abhi Sharma
InfoSec Write-ups
Published in
3 min readSep 3, 2023

--

Discover how, I uncovered a $500 access control bug allowing unauthorized webinar creation. Learn about the implications, responsible disclosure, and the importance of access controls in cybersecurity. Join me for this exciting adventure in security, discovery, and digital empowerment!

Well, lightning struck twice for me on the same platform where i previously uncovered a surprise XSS (Cross-Site Scripting) vulnerability. If you missed that story, you can catch up on it here.

Now, let’s dive into our latest adventure, uncovering a different kind of bug — an access control issue on the “Exameet”(Not Real Name) platform. This particular bug allowed users to create webinars without the necessary “Webinar Pro” subscription.

About the Website

Exameet (Virtual Name to protect privacy of Private program), it’s a popular online platform that allows people to host webinars and online meetings. The website we explored operates with different access levels. To create webinars, users typically need a special “Webinar Pro” subscription. Think of it as needing a backstage pass to a concert. Which only can assign by the admin.

Cracking the Access Control

Our journey began with a simple question: Could i create a webinar without that backstage pass, the “Webinar Pro” subscription? After extensive testing, i found a way to do just that! Even without the subscription, i could create webinars. This was a glaring security issue because it meant the system’s access controls weren’t working correctly.

Steps to Reproduce:

  1. Admin Account: To reproduce the behavior, you’ll need an admin account on the Exameet platform. With this account, you can create other user accounts and manage their permissions from the admin page.
  2. User Creation and Login: Create a new user account and log in to Exameet using that user’s credentials.
  3. Grant “Webinar Pro” Package: Initially, assign the “Webinar Pro” package to the user you’ve just created.
  4. Webinar Scheduling: Login to the user’s account on…

--

--

InfoSec Write-ups
InfoSec Write-ups
Follow

Published in InfoSec Write-ups

57K Followers
Last published 21 hours ago

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. Subscribe to our weekly newsletter for the coolest infosec updates: https://weekly.infosecwriteups.com/

Follow
Abhi Sharma
Abhi Sharma
Follow

Written by Abhi Sharma

1.7K Followers
1 Following

Cybersecurity Consultant | Pentester | Bug Bounty Hunter | ContentWriter 🔗 Connect with me on https://twitter.com/a13h1_ and https://www.linkedin.com/in/a13h1/

Follow

Responses (2)

Write a response

What are your thoughts?

Help

Status

About

Careers

Press

Blog

Privacy

Rules

Terms

Text to speech