How to hack Sarahah? A guy Hacked it check how: Sarahah is a messaging app is especially focused on trust and privacy which allows its user to send and receive anonymous messages.But suddenly everyone is getting the message and reading on the internet that they can know the username of who sent you messages on sarahah.
“Note- This content is only for education purpose”
Sarahah is all about honesty but we all know programmers never leave a chance to do something creative. A guy named Shawar Khan today released one of his coded script that he coded for demonstrating the XSS vulnerability that was identified in Sarahah.
How to hack Sarahah?
The article demonstrates the XSS vulnerability in Sarahah in a proper way. According to the article, the XSS vulnerability is caused due to the insecure reflection of the message when new messages are loaded. New messages are not properly filtered which causes the issue. For example, a user submitted a simple <script>alert(1)</script> , the payload will be executed if the message is loaded on the next page after scrolling down.
This script by Shawar Khan is able to perform following works.
So how does it works-
The tool submits a script tag having eval with an atob in order to bypass any protection deployed. The base64 encoded exploit code executes when passed through eval. The site returns an Error if the message contains any ‘.’ character and that is used to deny any message having a link or domain. The protection can be bypassed by encoding the payload into Base64 and passing it into atob with eval. So the template is like:
The site has implemented multiple protection mechanisms that the tool properly bypasses. The scripts load multiple proxies and submit the exploit code from a different IP address to bypass IP based limitations. This slows down the performance but does the job.
So it is legal or not?
Any script which is not written by the developers of sarahah is considered as an illegal and for using it it will lead you to the permanently banned from using the sarahah.and this script is not written by any developer of sarahah. using this script is 100% illegal.The developer is working to remove it as soon as possible.So guys be aware of this kind of trick and never use them.