How I could have hacked your ExpyBio Page

Share on facebook
Share on twitter
Share on linkedin
Share on reddit
Share on email

Hi There,

Renganathan Here, I’m an Ethical Hacker & a Security researcher.

I’ve been acknowledged by LinkedIn, United Nations, Medium, IRCTC & 20+ companies for reporting security vulnerabilities in their web applications.

What’s Expy

Expy is the only link you need to share all your websites and content, plus offer monetizable services and with more customizable features. It’s kind of similar to Linktree, a link in bio tool. Moreover it’s Indian made 😀

I’m was linktree user but later switched to Expy Bio ^_^

Here’s my Expy Link: expy.bio/Renganathan

So I was using the application and designing my own Expy page.

My Admin Panel of Expy

Suddenly I got an idea to test for security vulnerabilites so I switched to the heckur mode!

Heckur Mode!

On Making any changes to expy account the below POST request is made

{name: "JM_Name", JM_Name: "Renganathan", JM_ID: 420}

So the server is using the JM_ID to validate the request, I thought of testing an IDOR here 😀

I created another account and change the JM_ID, BOOOOOM! The Details on the other page was changed 😀

Which means I can customize the page

Read the article