June 22, 2018 at 18:14Vulnerability in ICQ allowed to join absolutely any chat
Hello everyone, today I want to tell you a story about how I discovered a vulnerability in ICQ that allowed you to connect to absolutely any chat on its chat.agent`y.
The vulnerability was in api.icq.com.
Vulnerable Method: Add People to Chat.
Method Parameters:
Thus, composing the request, we were connected to absolutely any chat.
The vulnerability is quite serious, but this vulnerability had another trump card. When I connected to a chat where I had never been, I had a complete chat history loaded, before I was there.
After the vulnerability was discovered, I immediately went to hackerone.com. I
fixed the problem in ICQ and waited for an answer.
After 4 weeks, the report was opened for showing to the world.
In general, something like that.
Thanks to all.
Report Link
The vulnerability was in api.icq.com.
Vulnerable Method: Add People to Chat.
mchat/AddChatMethod Parameters:
&aimsid= //Это наш секретный ключ аккаунта
&c=WebIM.jscb_tmp_c12813 //какой-то лог
&chat_id=680009979@chat.agent //собственно уязвимый метод, сюда пишется id чата
&members=740645342 //Тут должен быть uin друга, но подставляли свой uinThus, composing the request, we were connected to absolutely any chat.
Found addition to vulnerability
The vulnerability is quite serious, but this vulnerability had another trump card. When I connected to a chat where I had never been, I had a complete chat history loaded, before I was there.
Hackerone vulnerability report
After the vulnerability was discovered, I immediately went to hackerone.com. I
fixed the problem in ICQ and waited for an answer.
Apr 23rd (2 monthsago)
Thank you, check and discuss the current behavior with the developers.After that, I began to wait ... And then I got an answer, which I was very surprised ...
Reply from the ICQ team.
Good afternoon!I began to prove for a very long time that there is a vulnerability. And I decided to scare the guys from the ICQ team a little.
We do not confirm the existence of a vulnerability. The remaining finds, if any, should be separate reports, please.
Reply from the ICQ team.
Are you not adequate? I join absolutely any chat, whatever it may be, so I can also see what people talked about before me. Well, just do not consider vulnerability. I will use for the good not all the best.This whole thing dragged on until May, and now they finally gave me a positive answer!
Sergey Kashatov (reporter).
May 11th
Good afternoon!
We acknowledge a security problem and have it put to work. We will inform you about the correction. Payment will be scheduled within 1 week.
ICQ team
After 5 days, the vulnerability was fixed.
Good afternoon!I confirmed the fix, and the next day I received a $ 1000 vulnerability reward.
Vulnerability in the framework of the report you sent is fixed. Please check that this is so.
ICQ team
After 4 weeks, the report was opened for showing to the world.
In general, something like that.
Thanks to all.
Report Link