58. Arbitrary user hijacking and logon caused by improper design of an app in the same city

58. Arbitrary user hijacking and logon caused by improper design of an app in the same city

58. An app in the same city is improperly designed, resulting in hijacking of arbitrary users

58 The logon function of the Home Express app (ios) is improperly designed, resulting in arbitrary account hijacking

1. Enter any 58 registered users in the same city, such as 13888888888

2. In order not to be discovered by users, do not click to obtain the verification code. Enter any incorrect verification code, such as 123456.

3. Capture packets and modify the response code to 0.
 

4. continue to the next step. When the userid is returned directly, record the value of the changed id.
 

5. Repeat steps 1, 2, and 3, and modify the response code to 0 in the third part. Then, enter the userid recorded in the previous step into the userid returned in step 3 and continue.

6. continue to the next step to log on successfully.
 

7. If you try another account, you can get the order and other related information.
 
58 The logon function of the Home Express app (ios) is improperly designed, resulting in arbitrary account hijacking

1. Enter any 58 registered users in the same city, such as 13888888888

2. In order not to be discovered by users, do not click to obtain the verification code. Enter any incorrect verification code, such as 123456.

3. Capture packets and modify the response code to 0.
 

4. continue to the next step. When the userid is returned directly, record the value of the changed id.
 

5. Repeat steps 1, 2, and 3, and modify the response code to 0 in the third part. Then, enter the userid recorded in the previous step into the userid returned in step 3 and continue.

6. continue to the next step to log on successfully.
 

7. If you try another account, you can get the order and other related information.
 

Solution:

None