How I hacked a website integrated w/ Facebook having 1.1 mil. users under 45 seconds.

How a 17 year old hacked 1.1 million people’s mind, leaving an active hack, which is not yet fixed!

Image for post
Image for post

Sweet Note : These bugs are still active. Enjoy roaming to what I call, “The Candy Land”.

Fairy Tale

Image for post
Image for post

Not a good reason, Piyush.

Brownie Point — This application has over 1.1 million likes. (This stat was enough to get me started)

Technical background and Reconnaissance corner *boring*

Image for post
Image for post

Chapter 0 : Something is awry

Image for post
Image for post
Initial Inspection
Image for post
Image for post
view-source: en.weequizz.com | Highlighted Question 1

Chapter 1: Digging the rabbit hole

Image for post
Image for post
Question with Options
cAnswer(1, 10, 'b2b8x', 'p6lg8', 'exy5s', 'etsyuypdf', 'n08t3', true)
cAnswer(1, 10, 'b2b8x', 'p6lg8', 'z3jpz', 'etsyuypdf', 'n08t3', true)
cAnswer(1, 10, 'b2b8x', 'p6lg8', 'n08t3', 'etsyuypdf', 'n08t3', true)
cAnswer(1, 10, 'b2b8x', 'p6lg8', 'rxmj5', 'etsyuypdf', 'n08t3', true)
Image for post
Image for post
Jackpot!

Bugs and Exploits Corner : *’Yay!’ Zone*

Manual Exploitation of the Wee Quizz Algorithm :

Image for post
Image for post
Image for post
Image for post
Voila!

You just nailed the quiz of an unknown person, Enjoy!

Image for post

#1 Exploit : Tangled List Bug

Image for post
Image for post

But Wait !!

Image for post

Let’s Automate!

Image for post
Image for post
Image for post
Image for post
What?, I love Iron Man!! ❤

Boom!

Image for post
Image for post
Image for post
Code of the Exploit Sandwitch

Takeaway?

Image for post

#2 Bug : W.T.F. Bug! *for the lazy ones*

Image for post
Image for post

It involves just three easy steps.

Image for post

Final chapter: The Aftermath

Image for post
Image for post

Bottom line 1/2

Our target en.weequiz.com was handling the sensitive data (quiz answers in this case) on client’s side, and we all know that, handling sensitive data on client’s side is not good for health.

Bottom line *the other 1/2*

Don’t trust if someone scores perfect in your personal online quizzes.

About the Author

Image for post
Image for post
Image for post
Image for post
Image for post
Image for post
Social Jazz.

Google Code-In C. Winner. GsOCer ‘19. Independent Security Researcher. Have hacked Medium, Mozilla, Opera & many more. Personal Website: https://0x48piraj.com

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store