I found this vulnerability last week , and reported it to Quora. They haven’t replied yet, so I am assuming its not a big vulnerability.
Through this method, you will be able to hack and get access to all quora accounts being used on LAN. There is also a URL redirect vulnerability, using which you can spam the walls of the Linked Facebook accounts of the users. So this is how it goes.
As I was using the Android Quora App on my Mobile , I noticed the following. If I go to the profile tab and click on “Inbox”, it takes me to http://www.quora.com/inbox. But before it does that, it first goes to this intermediate link ( Subsequently, I will be calling this IL ) –
and then goes to http://www.quora.com/inbox/
On further analyzing this link I found that, anyone who had access to this IL, could access my account. So basically, if I give that link to you, you can put it in your browser, and you will be logged into my account – It will not ask you for my login credentials or anything.
The user value is the user id of any user, and the b value is something unique to each logged in session – I am guessing something like a Session ID.
When you login to Quora.com on your browser, there is a cookie called “m-b”. If you take that cookie value and put it into the b value in IL, the link works and it’ll open your inbox. The user value is the user-id of the user. This can be found out by looking at the URL of the Quora profile pic of the user. The URL will be of the form – http://qph.is.quoracdn.net/main-thumb-[user-id]-200-VPN8Lywty7hX4ZM4SkYwlUoiNhmiaLyA.jpeg or something like that.
Vulnerability 2 :
If you look at the “next” field in the IL, it contains the URL – Doubly Encoded .
Any URL can be Doubly Encoded here – http://meyerweb.com/eric/tools/dencoder/ . Just Encode the URL twice in the above link.
So if you want to Redirect to google.com,the vulnerable link will be
http://www.quora.com/login/android_login?next=http%253A%252F%252Fwww.google.com%252F&user=%5Buser-id here]&b=[mb-cookie value here]
Once the user goes to this link, the page will automatically goto http://www.google.com without any intermediate page.
This is a very serious Vulnerability. There is a URL Redirection happening from a Quora.com to a non Quora domain website. This can be exploited to access the Facebook Access Token of users and further be used to spam the facebook wall of the victim – Via Quora Facebook App. This method has been illustrated very clearly here – http://blog.prakharprasad.com/2013/06/pwning-facebook-accounts-taking-little.html?m=0 , and hence I would not like to show how to do that here.
Hope this was interesting! I am working on a video demonstrating this whole hack, and will upload it once I find some free time.
Till then. Cheers 🙂