How It Started 👀 (Manual Testing)

I was clicking around and breaking things, the old-fashioned way.

On the website, you can create a manager account, and in each manager account you can create an advertiser which has the ability to create a tracker that can be used in tracking ads.

While testing the advertiser panel, I noticed the tracker deletion button.

So I did what any curious security researcher would do:

"What happens if I delete something that doesn't belong to me?"

Setting Up the Test 🧪

I created two manager accounts:

• account1
• account2

For each account:

1. Created an advertiser
2. Created a tracker in each advertiser account

So now we have:

• Tracker A → owned by advertiser on account1
• Tracker B → owned by advertiser on account2

The Trick 🎯

1. From Account 1, I selected the tracker and pressed on delete.
2. I intercepted the request to capture the tracker id and dropped it before it reached the server.
3. From Account 2, I selected the tracker, pressed on delete and captured the request.
4. I took the tracker ID from Account 1 and replaced it in the delete request from Account 2.

Then I sent the request.

💥 Boom.

The tracker belonging to the other advertiser was deleted successfully.

Impact 💣

This vulnerability allows a malicious advertiser to:

❌ Delete trac+kers owned by other advertisers ❌ Delete admin-created trackers ❌ Wipe out all trackers in the system

Responsible Disclosure 🤝

I reported the issue to Revive Adserver on HackerOne.

The CVE was assigned shortly after, and the fix is now live in the latest version.

Follow me for more write-ups.

Stay curious. Stay ethical. Happy hacking!