BookMyShow account takeover using social login

Fun Apps forwarding Derpina’s access token to BMS and logs into Derpina’s BMS account
Visual representation of assumption how victim’s access token is used to log into BMS

Hello cruel world,

This is a story of an innocent girl Derpina Victims, whose BookMyShow account got hacked because she just wanted to know “when will she die” from a viral stupid Facebook app.

Derpina got to know about this “cool” Facebook app that tells when will she die. All her friends were posting their results so she tried it as well. Little did she know that creator of the app is an evil person who collects access tokens of innocent people and use those tokens to log into BMS.

Because technically BMS just checked if token is a valid FB token and Derpina’s email is in the database or not. BMS didn’t check who issued that access token.

More technical details are well explained by Bhavuk Jain (@bhavukjain1) on his blog.

My finding started with an email from BookMyShow claiming that user’s accounts were compromised because of data leaks of other platforms.

Whether their claim is true or not, I thought to myself we are not living in 2005. There must be something more to this. So I got my tools ready and tried SQL Injection first on login endpoint. Nothing happened. Then I tried Login with Facebook. I noticed that BMS was using access_token for login. So I got access token created by my own app with email scope and used it instead of access token generated by BookMyShow app. Voila, It worked! I got logged into BookMyShow using access token created by a third party app.

Access Token of my Facebook app.
Logged into BMS using access token of my app

Not only Login with Facebook was vulnerable. Just like Facebook, Login with Google was also misconfigured and didn’t check creater of id_token.

13 Jun 2019 at 1:06 AM — Security update email from BookMyShow
13 Jun 2019 at 1:35 AM — Found the vulnerability
13 Jun 2019 at 4:23 AM — Reported with mitigation suggestions
26 Jun 2019 at 9:43 PM — Received email saying the bug has been fixed
28 Jun 2019 at 3:43 PM — Bounty rewarded




Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

The Benefits of Outsourcing Your Data Protection Officer


Defense in Depth for Cloud services: How SASE, SSE and SAAS intertwine

The hijack and why it’s risky to hold cryptocurrency in a webapp

Free VPN for your PC and smartphone

Ripple Battle Rages On: SEC Makes New Attempt to Protect Hinman Emails — XRP Right Now

How Certified Ethical Hackers Protect Your Business| itSynergy

Vulnerabilities and ransomware: The policy debate

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Sukhmeet Singh

Sukhmeet Singh

More from Medium

CCSC 2022 Writeups — Glooties App

News app using Account kit, Ads kit, and Push kit with HMS Core

Beetlebug — A Vulnerable Android CTF App

How to send e-mail with attachment in Prestashop?