How I hacked a website integrated w/ Facebook having 1.1 mil. users under 45 seconds.

How a 17 year old hacked 1.1 million people’s mind, leaving an active hack, which is not yet fixed!

Sweet Note : These bugs are still active. Enjoy roaming to what I call, “The Candy Land”.

Fairy Tale

I got intrigued when an app named en.weequizz.com became viral.

Brownie Point — This application has over 1.1 million likes. (This stat was enough to get me started)

For serious cyber security enthusiasts, I will soon publish a whitepaper focusing on only technical side, just in case you don’t want to see my bad meme selections.

Technical background and Reconnaissance corner *boring*

Initial Inspection
view-source: en.weequizz.com | Highlighted Question 1

Chapter 1: Digging the rabbit hole

Question with Options
cAnswer(1, 10, 'b2b8x', 'p6lg8', 'exy5s', 'etsyuypdf', 'n08t3', true)
cAnswer(1, 10, 'b2b8x', 'p6lg8', 'z3jpz', 'etsyuypdf', 'n08t3', true)
cAnswer(1, 10, 'b2b8x', 'p6lg8', 'n08t3', 'etsyuypdf', 'n08t3', true)
cAnswer(1, 10, 'b2b8x', 'p6lg8', 'rxmj5', 'etsyuypdf', 'n08t3', true)
Jackpot!

Bugs and Exploits Corner : *’Yay!’ Zone*

Voila!

You just nailed the quiz of an unknown person, Enjoy!

#1 Exploit : Tangled List Bug

Let’s Automate!

What?, I love Iron Man!! ❤
Code of the Exploit Sandwitch

Takeaway?

#2 Bug : W.T.F. Bug! *for the lazy ones*

After looking through it’s Workflow and HTTP Responses,
Another obvious evil plan came to my *empty* mind.

Final chapter: The Aftermath

Bottom line 1/2

Our target en.weequiz.com was handling the sensitive data (quiz answers in this case) on client’s side, and we all know that, handling sensitive data on client’s side is not good for health.

Bottom line *the other 1/2*

Don’t trust if someone scores perfect in your personal online quizzes.

About the Author

Social Jazz.

--

--

Get the Medium app

Piyush Raj ~ Rex

Google Code-In C. Winner. GsOCer ‘19. Independent Security Researcher. Have hacked Medium, Mozilla, Opera & many more. Personal Website: https://0x48piraj.com