Lithium proprietary community platform’s critical vulnerability.

Today I came up with a description for one of the critical vulnerability that I found 5 months ago and it turned up to be a zero day in Lithium community Platform.

A little heads up about Lithium Community:

Lithium technologies business provides SaaS for Lithium’s proprietary community platforms. Pls go to and for more information on this product. The company sells its Lithium’s proprietary community platforms to many enterprise customers such as HP, Best Buy, Research In Motion, Sony, Comcast, PAYPAL, BT, VISA, Verizon, Symantec and AT&T.

As I said, Lithium Community platform is being used by 400+companies and among which many of them fall under fortune 500 as well. All these companies use Lithium platform for their community, forum and blog sites.

I brought to Lithium’s notice about this Zero day vulnerability in the month of July’2016 and they took almost 5 months to fix this vulnerability in their proprietary Community across all the clients they have around the world.

About the Vulnerability

Vulnerability Name : IDOR causes Deletion of Any Users Community Account for ever.

One can make use of this vulnerability to delete anyone’s account forever from the community. Attacker can delete the victim’s accounts which have personal information, accepted Solutions, Posts, messages, Topics, Blogs, Kudos, Friends list and Achievements from the community site forever. Once the account is deleted, victim cannot re-open it, rather needs to re-register as a new user. This vulnerability was so severe that an attacker could delete everyone accounts in the community with in matter of seconds.

This vulnerability was assigned as p1 (Critical Severity) by many companies who have their Bug Bounty program. Among the 400+ affected companies I have reported  this Vulnerability to 9 companies through their bug bounty program. Reason behind the less count is lack of Bug bounty program. I am not sure whether the companies like BT, VISA, Verizon, BestBuy, HP, Palo alto, etc have fixed this vulnerability at their end or not, as there is no way to report these companies from my end. Hence, I request all those companies whom I haven’t reported about this vulnerability to test their sites and Fix this immediately to not to get Hit!

When I reported this to Lithium Community, I was told that they would fix this vulnerability one by one as in all of their 400+ Client sites in approximately 3 months of time. Finally, I got awarded with a total of 2000$ by 9 different companies who were using Lithium Community as their sites.

Among 400+sites below are some sites mentioned
 PAYPAL community site
  Verizon community sites:--
  ATT Forum:--
  Skype community:-
  Linksys community:--
  PaloAlto community.
  Apple discussion site:--
  HP support and community sites
  Black berry support forums:--
  F-secure community:--
  Lenovo Forum:--
  Juniper forums:--
  AND many More who uses Lithium Community platform

Proof of Concept:-

For POC I have created two accounts in community.[company].com,one is the victim’s and other is the attacker’s account.

Below POC will explain how attacker is able to delete victim’s account. VICTIM ACCOUNT;– John_victim ATTACKER ACCOUNT:– don_yahoo step1)Now  attacker don_yahoo will Login in community.[company].com dashboard.

step2)Attacker will go to his community profile whose location is  https://community.[company].com/t5/user/viewprofilepage/user-id/6161419,so attacker userID is 6161419 as seen in above URL.

step3)Now go to attacker’s personal-profile https://community.[company].com/t5/user/myprofilepage/tab/personal-profile

step4) There is an option to close Account.Close Account means delete account forever.Now when attacker clicks Close Account tab then he is raising a POST request .In that Post request there is attacker’s UserID  in Request content.

step5)Make Burp proxy intercept ON

step6)Click Close Account and see the intercepted POST request step7)Change the UserID from attacker’s User ID 6161419 to victims User-ID 6344809.Do in Content section of Request not in cookies as in image1.png


step8)After forwarding the request you will get response page in browser asking for attacker username.Now give attacker username don_yahoo . step9) After submitting the request ,victims account get deleted.


How to Get Victims User ID? Getting Victims user ID is very simple  .Suppose john_victim is your target .Search john_victim public profile in community.[company].com search option.Get the public community profile  and take the User Id from public profile URL as 6344809 for below victims. https://community.[company].com/t5/user/viewprofilepage/user-id/6344809.Public profile is accessible publicly and need no access.So anyone can access anyone’s public profile and get USER ID.

AWARDS and Recognition

Company Sites Award &Recog
ATT 250$+hall of fame
Paypal 200$+hall of fame
Spotify 500$+hall of fame
Ubiquity Networks 500$+hall of fame
ING Bank Many sites 400 Euro
Dutch Telekom community site 300$+hall of fame
f-secure Networks Hall Of fame
Juniper Networks community site still under process.

Publicly Disclosed by Ubiquity Networks through hackerone:

You can follow me in twitter

Published by


Hey! I am a security Researcher ,Tester and Hacker.Finding bug is my passion .

Leave a Reply

Your email address will not be published. Required fields are marked *