How I Hacked JioNews?
JioNews is a news app for breaking news every second. It has 190+ live news channels, Magazines, newspapers, viral videos, and news websites from India and across the world.
Non-Jio users can access all the features in the app by simply logging in to the app during the trial period. However, Jio users will have premium access to all the features on JioNews.
However, I managed to gain access to premium content without the use of a Jio SIM or even logging in!!!!
How I was able to find this vulnerability?
My discovery of this vulnerability began with a meticulous process of reconnaissance and Google Dorking. During my investigation, I stumbled upon certain API URLs, including:
https://****.****.jio.com/s/1/apis?d=MSZpZD0yNDkwNw==
https://****.****.jio.com/s/1/5/NjUz
https://****.****.jio.com/s/1/apis?d=MiZpZD04NzIxMzQmcGFnZT0x
Upon clicking these URLs, I was astounded to find that they provided unrestricted access to Live News Channels, Magazines, Newspapers, and more, effectively bypassing the need for a Jio SIM or login credentials.
let’s delve into the breakdown of these URLs, how they functioned, and the contents of the encoded data.
- https://****.****.jio.com/s/1/apis?d=MSZpZD0yNDkwNw==
- Upon decoding the base64-encoded value “MSZpZD0yNDkwNw==,” it translates to “1&id=24907.” Consequently, the modified URL becomes:
- https://****.****.jio.com/s/1/apis?d=1&id=24907
- This modified URL, when accessed, enabled me to bypass the usual restrictions and access premium content without requiring a Jio SIM or login credentials. It appears that the ‘id’ parameter was instrumental in this exploit.
The flaw in the system allowed the manipulation of these parameters to grant unauthorized access to premium content.
Upon accessing the modified URL, https://****.****.jio.com/s/1/apis?d=1&id=24907, the system would return the content from jionews.com and render it for display. This behavior essentially allowed unauthorized users to access and view premium JioNews content without the need for a Jio SIM or login credentials.
it appears to be an Insecure Direct Object Reference (IDOR) vulnerability. By manipulating the ‘id’ value, encoding it into base64, and then accessing the corresponding URL, it was possible to access content associated with different magazine IDs without the necessary permissions or authentication.
This was just for a magazine, how can I access other content such as Live TV, Newspapers?
So, there was an ID linked to each section: 1 for home, 2 for magazines, 3 for newspapers, 4 for videos, and 5 for live TV.
Let’s attempt to access the News TV channel; for that, the ID would be 4. The API URL would be https://****.****.jio.com/s/1/5/ID
Once more, the ID is a base64-encoded value representing the news channel ID, and you can access the News channel simply by changing the News channel ID.
Channel ID is 493 or NDkz in base64, URL will be
https://****.****.jio.com/s/1/5/NDkz
I discovered this bug and promptly reported it to jio.bugsreporting@jio.com, and here is the response I received from Jio.
Isn’t it perplexing? I’m struggling to comprehend why they display a premium content warning.
I attempted to inquire via email, asking if it’s just for information purposes and doesn’t have any real impact. If that’s the case, it would make sense to share an intriguing write-up, wouldn’t it? However, they promptly denied my request, which is rather amusing, don’t you think? Now, you understand the situation, right? What could be their motive?
and then they started asking for a detailed POC with Steps, I sent a POC, and then it's been a month since I sent a POC,
I repeatedly requested an update, but they neither acknowledged the vulnerability nor provided any bounty payment; instead, they initiated the fixing process. Yes, many of these endpoints are now secured. This isn’t the first time with Jio; previously, I reported some vulnerabilities, and they requested a detailed report but then failed to respond
If you found this write-up informative or have any questions, please don’t hesitate to reach out to me:
Github: https://github.com/viralvaghela
Linkedin: https://www.linkedin.com/in/viralv/