Hey guys so this blog post is about an Issue in Snapchat’s Website, due to Improper Input Validation one can add custom text & urls in SMS send by Snapchat here’s a Short POC of the issue.
HackerOne Report: #420420
A Subdomain on Snapchat’s website https://whatis.snapchat.com/ Gives the basic information about Snapchat, what it does and how it works along with this at the bottom of the page it have an option to try snapchat yourself by downloading the app now you can either download by clicking the links or by getting an sms containing link to download the app to your phone.
I decided to test that and i put my phone num there and clicked Send Link a HTTP POST request was made to a URL on app.snapchat.com
the ‘cid=’ parameter caught my attention as the SMS that was send also contained the parameter in the message
Now i wanted to try to make a custom message sent by snapchat but as the POST request that was sent earlier couldn’t be modified i decided to test the ‘cid=’ parameter so i changed and added text and URL in the ‘cid=’ parameter in the request and as URLs can’t contain a space i added + just to break the clickable URL in SMS and make it look like text.
Just by this a Person could have added custom text and URLs in SMS send by snapchat.
Snapchat Fixed this by not reflecting the cid or any other parameter in there SMS.
- Always test common endpoints and see how they reflect to different values added to them.
- Keep Hunting you have no idea what kinda bug might pay your bills.
Thanks for Reading..