Airbnb : Steal Earning of Airbnb hosts by Adding Bank Account/Payment Method (IDOR)

Hi All,

Company Info :
Airbnb is an online marketplace and hospitality service, enabling people to lease or rent short-term lodging including vacation rentals, apartment rentals, homestays, hostel beds, or hotel rooms. The company does not own any lodging; it is merely a broker and receives percentage service fees (commissions) from both guests and hosts in conjunction with every booking. It has over 3,000,000 lodging listings in 65,000 cities and 191 countries,and the cost of lodging is set by the host.


Bug category :
Indirect Object Reference(IDOR)
Link : https://www.owasp.org/index.php/Top_10_2013-A4-Insecure_Direct_Object_References


Technical Details of the Bug : 
Applications frequently use the actual name or key of an object when generating web pages. Applications don’t always verify the user is Authorized for the target object. This results in an insecure direct object reference flaw. Testers can easily manipulate parameter values to detect such flaws. Code analysis quickly shows whether Authorization is properly verified.


Bug Description : 
When you start adding your payout information then airbnb first add your address and once the address is added it generates a payout_ID which is used to get the link of payoneer account . This link contains the token for registering your bank account details which will be added to your airbnb account.In this whole process when payout_ID is generated and next request to get the payoneer link is vulnerable to IDOR attack which leads to get the link of any users account. Once attacker gets the link he can add his bank account to victim's bank account.





Vulnerable Request : 
POST /users/payoneer_account_redirect/[payout_ID] HTTP/1.1
Host: www.airbnb.co.in
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.airbnb.co.in/users/payout_preferences/115687601/new
Cookie: [cookie_values]
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 118
authenticity_token=&user_id=[user_id]
Change the payout ID to any unused payout ID and you will get a payoneer link of bank account details. Once you fill the bank account details it will be added to victim's account. 


Steps to reproduce : 1.Create a Victim account and start adding your payout details.
2.Once you add your bank address details , capture next request. You will see above mentioned request. Note down the payout_id .
3.Don't complete the bank account details here.
3.Now Create Attacker account and add payout details.
4.Capture the same request and change the ID to victim's payout_id .
5.Send this request to server you will get the same link of victim's payoneer link.
6.Fill the bank account details and save it. You will notice that Bank account details will be added to victim's account now.

Condition : The payoneer payout_ID should be unused .If victim has already added bank information then payout_ID will not be accepted .


Video POC : 





Impact : 
Impact was High if Payout_id is unused. It was easily possible to Attack at least 20-30% of Airbnb host accounts. If you are successfully able to Add your payment method/Bank account then All the Earning would have come to your Added bank account.


Timeline : 
Feb 13th 2017: Report send to Airbnb Security Team through Hackerone
Feb 15th 2017 : Additional information is provided to clarify the issue
Feb 28th 2017  : Report Triaged by Team
March 3rd 2017 : The issue was resolved and confirmed.
March 21rd 2017 : 3000$ Bounty Rewarded


I would Thank Airbnb Security team to Fix the issue In priority and descent reward.

Please Feel free to contact me if you have any doubts here.


Thanks !
Vijay Kumar









Comments

Popular posts from this blog

Add Credit Card to Any Uber account Through eats.uber.com(CSRF)

XSS+CSRF attack in Tagged using Redirect parameter(Open URL Redirection attack Possible)