How I Hacked Nokia ?

on

I Discovered 10 Vulnerabilities in Nokia 

Today, I want to share how I managed to discover 10 vulnerabilities in Nokia.




Who Am I?

My name is Adham Elhansy. I've been studying cybersecurity since I was 14 years old. I'm very passionate about low-level topics like binary exploitation, malware development, reverse engineering, and Red Teaming in general and you can check my own website Adham Elhansye
I started bug bounty hunting about four months ago. It’s both exciting and frustrating at the same time—but that’s fine. Let’s dive in!


Initial Research

Nokia's scope wasn’t clear at all. There were no details about which vulnerabilities were accepted or which assets were in scope.
So, I decided to check previous reports or look for write-ups on Medium about vulnerabilities found in Nokia and I found several reports with simple vulnerabilities like Clickjacking, email spoofing, and low-impact information disclosure.
The scope was always: 


*.nokia.com 

That was my key to getting started.
I don't waste more time, i need to Get Hall of fome Quickly. so, I decided to quickly look for Clickjacking vulnerabilities without wasting time. I found this tool that generates fast proof-of-concept (POC) Clickjacking tests:
 
 
It simply requires entering a link, and if the subdomain appears inside an iframe, it’s vulnerable.
I reported five vulnerabilities:

- 3 were duplicates

- 2 were accepted

That means my first five vulnerabilities were Clickjacking.


- Moving on to JavaScript File Bugs

I got bored with Clickjacking and moved on to my favorite type of vulnerabilities: JavaScript file bugs.
First, I gathered all URLs and filtered for JavaScript files:

waymore -i nokia.com -mode U -oU waymore.txt 

Then, I filtered them based on status code and JavaScript files:

cat waymore.txt | grep "\.js" | httpx -mc 200 | tee js.txt

I worked on both manual and automated JavaScript analysis.

I set up my VPS and ran:

- Mantra

- JSSecret Finder

-  JSNinja

I let them run automatically while manually reviewing specific file names like:

- config.js

- app.js

- main.js

- env.js

- internal.js

First Finding: Disclosure Internal Employee Emails 

I found a file:

https://subdomain.nokia.com/config.js

It contained internal employee emails. I reported it, and it was accepted.

Second Finding: API Key Exposure


I continued searching and found another file:
https://subdomain.nokia.com/internal.js
It contained a disclosed API key that led to access to the GIPHY service.
Even though it was low impact, it was still accepted.

Note: Automation tools didn’t detect these findings!

Third Finding: Limited Local File Disclosure

I found a Limited Local File Disclosure vulnerability. It exposed internal system files, similar to an LFI but inside JavaScript files.

Unfortunately, it was marked as duplicate.

Final Finding: Open Redirect

I found an internal login page with a parameter:

?redirect_uri=

I tried:

https://attacker.com

but it didn’t work.

After multiple attempts, I found the correct payload:

http:attacker.com

However, this was also marked as duplicate.

---

Final Results

Here’s the breakdown of my findings:

5x Clickjacking
3x JavaScript File Bugs
1x Limited Local File Disclosure
1x Open Redirect

That’s 10 vulnerabilities in total!

4 accepted

6 duplicates



I was also added to the Hall of Fame!




 Thank You, Follow me i will publish about bugs in IBM - NASA - Microsoft soon.




Comments

  1. AnonymousMarch 2, 2025 at 11:34 PM

    Great writeup, looking forward to reading more. Keep up the good work !

    ReplyDelete

Post a Comment