Hello everyone, today I want to tell you a story about how I discovered a vulnerability in ICQ that allowed you to connect absolutely to any chat via its chat.agent`y.The vulnerability was at api.icq.com.
Vulnerable method: adding people to chat.
mchat/AddChat
Method parameters:
&aimsid= // &c=WebIM.jscb_tmp_c12813 //- &chat_id=680009979@chat.agent // , id &members=740645342 // uin , uin
Thus, composing a request, we connected absolutely to any chat.
Found addition to vulnerability
Vulnerability is pretty serious, but this vulnerability had another trump card. When I connected to the chat, where I had never been, I downloaded the full chat history, before my presence there.
Report hackerone vulnerabilities
After detecting a vulnerability, I immediately went to hackerone.com
Reported the problem in ICQ, and waited for an answer.Apr 23rd (2 monthsago)
Thank you, check and discuss the current behavior with the developers.
Reply from the ICQ team.
After that, I began to wait ... And here I received an answer, which I was very surprised ...
Good day!
We do not confirm the existence of a vulnerability. The rest of the finds, if there are any, please be separate reports.
Reply from the ICQ team.
I began to prove for a very long time that there is a vulnerability. And I decided to scare some guys from the ICQ team.
Are you not adequate? I join absolutely to any chat, whatever it is, so I can also see what people were talking about before me. Good times do not consider vulnerability. I will use for not good all good.
Sergey Kashatov (reporter).
The whole thing dragged on until May, and now I was finally given a positive answer!May 11th
Good day!
We confirm the existence of a security problem and took it to work. We will inform you about the correction. Payment will be scheduled within 1 week.
ICQ Team
After 5 days, the vulnerability has been fixed.
Good day!
Vulnerability in the framework of the report you sent is fixed. Please check that this is so.
ICQ Team
I confirmed the fix, and the next day I received a $ 1,000 reward for the vulnerability.
After 4 weeks, the report was opened to the world.
In general, something like that.
Thanks to all.
Link to the report