News

Oneplus Two invite system hacked again

jackcooper-3

Jack cooper first hit the headlines when he revealed the hacking of Oneplus Two invite system by jumping the que and Oneplus accepted the loophole in the system

Though Oneplus awarded jack with a special invite and took all the measure to block loopholes in invite system, but jack did it again. What i believe, this time Oneplus better hire Jack Cooper like Apple did earlier.

What Jack has to say about this :

So nice I did it twice. “Hacking” the OnePlus reservation system, again.

This morning I received an email from OnePlus saying that they were going to patch the exploit I detailed yesterday. Guess it’s time for round 2.

Amidst my search for hacks in my previous article, I discovered another trick that lead to a bigger and better hack. Gmail has what is called “Email aliasing”, which allows emails sent to a permutation of your Gmail to be forwarded to your Gmail. There exist 2 rules to this that I have heard of. The following 2 emails both forward to youremail@gmail.com.

  1. Youremail+anything@gmail.com (Courtesy of /u/pyronautical on Reddit)
  2. Your.email@gmail.com

The first one is relatively simple, as it just truncates everything after the +. This was the first one I checked on OnePlus, but no dice, I was blocked by the OnePlus web client. I even tried to request straight to the server like last time. Again, no luck.

The first one is relatively simple, as it just truncates everything after the +. This was the first one I checked on OnePlus, but no dice, I was blocked by the OnePlus web client. I even tried to request straight to the server like last time. Again, no luck.

The second one proved to be a little more fruitful. OnePlus had done SOME validation, but had let some slide through. It turns out OnePlus WILL accept emails with periods (Which I knew, because mine has a couple), but there are again a couple of rules.

  1. The periods cannot occur at the start or end of the email.
  2. Two period cannot occur adjacent to one another in an email.

What Jack did to exploit the system

Method 1 :

  1. Fill in gmailAddress and inviteToken at line 9-10
  2. Run! (python GmailExploit.py)
  3. Click links in your gmail inbox (or add a python script to automate this)

Method 2 :

  1. Run GmailExploit2.py
  2. Enter your email WITH @gmail.com when prompted.
  3. Enter your referral code (5-6 digits found on the end of your referral link)
  4. Run EmailParser.py
  5. Enter your email WITH @gmail.com.
  6. Enter your password

Source :Medium

Please do not try this method as Oneplus may disqualify you and legally it’s a crime hacking some one else server

About the author

Profile photo of Rakesh Bhatia

Rakesh Bhatia

Leave a Comment

Powered by keepvid themefull earn money