Vulnerability in ICQ allowed to join absolutely any chat

Hello everyone, today I want to tell you a story about how I discovered a vulnerability in ICQ that allowed you to connect to absolutely any chat on its chat.agent`y.

The vulnerability was in api.icq.com.
Vulnerable Method: Add People to Chat.

mchat/AddChat

Method Parameters:

&aimsid= //Это наш секретный ключ аккаунта
	&c=WebIM.jscb_tmp_c12813 //какой-то лог
	&chat_id=680009979@chat.agent //собственно уязвимый метод, сюда пишется id чата
	&members=740645342 //Тут должен быть uin друга, но подставляли свой uin

Thus, composing the request, we were connected to absolutely any chat.

Found addition to vulnerability


The vulnerability is quite serious, but this vulnerability had another trump card. When I connected to a chat where I had never been, I had a complete chat history loaded, before I was there.

Hackerone vulnerability report


After the vulnerability was discovered, I immediately went to hackerone.com. I
fixed the problem in ICQ and waited for an answer.


Apr 23rd (2 monthsago)

Thank you, check and discuss the current behavior with the developers.
Reply from the ICQ team.
After that, I began to wait ... And then I got an answer, which I was very surprised ...

Good afternoon!

We do not confirm the existence of a vulnerability. The remaining finds, if any, should be separate reports, please.

Reply from the ICQ team.
I began to prove for a very long time that there is a vulnerability. And I decided to scare the guys from the ICQ team a little.
Are you not adequate? I join absolutely any chat, whatever it may be, so I can also see what people talked about before me. Well, just do not consider vulnerability. I will use for the good not all the best.

Sergey Kashatov (reporter).
This whole thing dragged on until May, and now they finally gave me a positive answer!

May 11th

Good afternoon!

We acknowledge a security problem and have it put to work. We will inform you about the correction. Payment will be scheduled within 1 week.

ICQ team

After 5 days, the vulnerability was fixed.


Good afternoon!

Vulnerability in the framework of the report you sent is fixed. Please check that this is so.

ICQ team
I confirmed the fix, and the next day I received a $ 1000 vulnerability reward.

After 4 weeks, the report was opened for showing to the world.

In general, something like that.

Thanks to all.

Report Link

Also popular now: