How I hacked a website integrated w/ Facebook having 1.1 mil. users under 45 seconds.

How a 17 year old hacked 1.1 million people’s mind, leaving an active hack, which is not yet fixed!

Sweet Note : These bugs are still active. Enjoy roaming to what I call, “The Candy Land”.

Fairy Tale

Not a good reason, Piyush.

Brownie Point — This application has over 1.1 million likes. (This stat was enough to get me started)

Technical background and Reconnaissance corner *boring*

Chapter 0 : Something is awry

Initial Inspection
view-source: en.weequizz.com | Highlighted Question 1

Chapter 1: Digging the rabbit hole

Question with Options
cAnswer(1, 10, 'b2b8x', 'p6lg8', 'exy5s', 'etsyuypdf', 'n08t3', true)
cAnswer(1, 10, 'b2b8x', 'p6lg8', 'z3jpz', 'etsyuypdf', 'n08t3', true)
cAnswer(1, 10, 'b2b8x', 'p6lg8', 'n08t3', 'etsyuypdf', 'n08t3', true)
cAnswer(1, 10, 'b2b8x', 'p6lg8', 'rxmj5', 'etsyuypdf', 'n08t3', true)
Jackpot!

Bugs and Exploits Corner : *’Yay!’ Zone*

Manual Exploitation of the Wee Quizz Algorithm :

Voila!

You just nailed the quiz of an unknown person, Enjoy!

#1 Exploit : Tangled List Bug

But Wait !!

Let’s Automate!

What?, I love Iron Man!! ❤

Boom!

Code of the Exploit Sandwitch

Takeaway?

#2 Bug : W.T.F. Bug! *for the lazy ones*

It involves just three easy steps.

Final chapter: The Aftermath

Bottom line 1/2

Our target en.weequiz.com was handling the sensitive data (quiz answers in this case) on client’s side, and we all know that, handling sensitive data on client’s side is not good for health.

Bottom line *the other 1/2*

Don’t trust if someone scores perfect in your personal online quizzes.

About the Author

Social Jazz.

Google Code-In C. Winner. GsOCer ‘19. Independent Security Researcher. Have hacked Medium, Mozilla, Opera & many more. Personal Website: https://0x48piraj.com