Возможность зайти на любой аккаунт https://pandao.ru/
State Resolved (Closed)
Disclosed publicly 2019-02-06T16:00:35.530Z
Reported To
Weakness none
Bounty $2,600
Collapse
Summary by lincoln9932

При входе по номеру телефона не было проверки, принадлежит ли отправленая SMS определенному номеру. Это позволяло заходить на абсолютно любые аккаунты (даже на несуществующие).

Summary by lincoln9932

Logical bug in SMS verification code allowed access to pandao.ru account bond to arbitrary phone number.

On the moment of reporting, pandao.ru runs preliminate bug bounty for business logic bugs with potential for fraud.

Timeline
submitted a report to Mail.ru .
2019-01-22T18:46:42.409Z

Regards,
Frans

  • 0 attachments:
lincoln9932 Activities::Comment
2019-01-22T18:49:38.320Z


kpebetka Activities::BugTriaged
2019-01-22T19:23:05.445Z


lincoln9932 Activities::Comment
2019-01-22T20:09:24.552Z


lincoln9932 Activities::Comment
2019-01-24T12:07:34.645Z


kpebetka Activities::BugResolved
2019-01-24T17:25:28.983Z


lincoln9932 Activities::AgreedOnGoingPublic
2019-01-24T18:45:28.379Z


Activities::BountyAwarded
2019-01-30T15:31:23.200Z


lincoln9932 Activities::Comment
2019-01-30T16:58:09.340Z


lincoln9932 Activities::Comment
2019-02-04T12:19:55.564Z


Activities::BountyAwarded
2019-02-04T12:29:06.444Z


3apa3a Activities::ChangedScope
2019-02-06T14:51:14.509Z


3apa3a Activities::AgreedOnGoingPublic
2019-02-06T16:00:35.494Z


3apa3a Activities::ReportBecamePublic
2019-02-06T16:00:35.545Z