Introduction

In this post, I recount a bounty I claimed some time ago, unveiling the intricate details of my encounter with Insecure Direct Object References (IDOR) and their unconventional applications.

This tale of digital intrigue revolves around the Casino Max app, designed to offer Casino customers the convenience of registering their loyalty cards, viewing promotions, adding bank cards, and more.

One fine day, while grocery shopping, an advertisement for the app caught my eye. The persuasive slogan led me straight to the app store. The hacker in me couldn’t resist the urge to explore its digital depths, seeking vulnerabilities of high impact with minimal effort.

The Initial Dive

In my proverbial Batman’s cave, equipped with my trusted tools, I set up my faithful proxy to unveil potential weaknesses within the Casino Max app. The initial setup prompted a connection request, leading to the discovery of an endpoint /v1/user/verify-subscription/<id/email>. It accepted either a loyalty card ID or an email and responded with the existence status of the element.

This discovery marked a crucial turn in my exploit journey. The verbosity of the JSON response was a goldmine. It was not confined to the endpoint’s domain but generously offered excessive information including:

• is_activated (true/false)
• has_password (true/false)
• has_birthdate (true/false)
• first_name
• last_name
• first_connexion
• fid (loyalty card ID)

Even without prior connection, one could access sensitive data like first and last names, and it didn’t stop there.

The App Explored

The app offered the option to add a loyalty card to the user’s account. Using a simple Python script, exploiting the IDOR vulnerability, I could list existing loyalty cards, determining their activation status and whether they were password-protected.

While attempts to add these loyalty cards were initially unfruitful, I could access the cashier’s information of a loyalty card via another endpoint within the app.

Beyond the Digital Realms of Casino Max

Driven by the ambition to exploit the app for in-store purchases without spending a dime, I delved deeper. I discovered https://www.macartecasino.fr/espace-carte/activation/, a website that allowed activation of loyalty cards by entering the card number and a date of birth.

The activated card, embedded with the information I provided, could be added to the Casino Max app, unveiling the card’s balance and transaction history.

The Climax

I ventured into a nearby Casino store to validate my discovery. At the self-checkout, I selected the “loyalty card” option and scanned the code generated by the Casino Max app. Voila! I exited the store, groceries in hand, without spending a penny.

The Bounty Claimed

Of course, this narrative isn’t meant to incite malicious activities. Following ethical hacking protocols, I disclosed this vulnerability through a private bounty program.

CVSS: 7.5

In this engaging dance with vulnerabilities, I grappled with IDORs, journeyed through the intricate pathways of the Casino Max app, and emerged victorious, bounty claimed, illuminating darkened corners of cybersecurity and reminding us of the ceaseless evolution of digital fortifications.

I’m left with a reminder of the fragility of digital systems, even those perceived as secure. Each exploit unveils a narrative, a dance of codes and encryptions, and an underlying challenge to strengthen the walls guarding our digital sanctuaries.