Hello, amazing hackers, My name is Neh Patel and I’m a bug hunter.
I’ve been thinking about writing about my findings for a while, so here we go.
Please let me know if you notice any spelling errors.
Let's start,
It was about 2 or 2:30 am at midnight and I was reading some books related to hacking and I was just going to bed at that time I decided to check the email.
In a mail, at the end of that mail, there was a button or link called “unsubscribe”.As we all know, it was for unsubscribing from that company’s mail notification
I thought about checking this “unsubscribe” link. There was a parameter called “email” in that link
I was thinking that what if I change the value of the “email” param. It’s interesting but the value of that param is encoded in some format so I decided to decode that value
I copied that link and paste it into notepad and checking for different encoding. I checked that with base64, md5, and other popular encryption methods but found nothing.
After some time, I noticed that in that value there are only A to F and 0 to 9 digits. I got it It’s Hexadecimal value of plain email address
After decoding I got my real email address but in all CAPITAL letters. I decided to change that value so I took a fake email address, change all letter into CAPITAL letters and encode it into Hexadecimal, Copy that encoded string and paste it at the place of the real value of the “email” param.
Boom… I found IDOR, we can unsubscribe from anyone’s email.
But I did not stop that bug, I write a simple XSS payload
<script>alert(document.domain)</script>
and again make all letter into capitals, encode it into Hexadecimal and paste it as a value of the “email” param.
Again Its XSS Yeah I did it … I did it …. I did it
Thanks for reading my write-up! Throw a heart to this story, If you liked please share it to your hacker friends .. Will be back with another write-up shortly.