1st bug: edit users NickName:

====================

 while changing the webiste language interface I noticed  below endpoint:

POST /u/user/attaker_username/settings/account?prop={}

{
"content":{
"nickname":"attaker nick name",
"lang":"en"

 }

I noticed two things:

1- when I change the attacker_username to any other user the response give me no error despite the webiste is protected by jwt (jason web token)

2- They put "nickename" as a variable for post that reponsible to change user webiste interface

so when I change the attacker user name to other users name (for accounts that don't belong to me) and with ability to edit the "nickname" value, I was able to change the nick name for any user.

2nd  bug :Disclose users information

=========================

While checking my burpsuite history tab, I saw below endpoint:

https://api.gettr.com/u/posts/srch/choices?phrase=attacker_user_name&max=5&incl=userinfo

This endpoint was using GET request and it return all the information that belong to the user as below:

id"user_id_name"

nickname"user_nick_name"

email"user_email"

username"user_username"

ousername"user_username"

birthyear"user_birthdate"

block"blocked users name"

So by changing the "attacker_user_name" in the above link to any user_name, I was able to disclose all the information mentioned above, and as you know these information considered as private and should not be visible to public.

3rd bug: Ref XSS - Steal users cookies and take over users accounts

===========================================

I noticed when I search for user that don't exists on the website it will redirect me to below link:

https://gettr.com/account-doesnt-exist/username_that_don't_exist

I noticed that the username is being reflected on the page as a bold text, so I told my self why not to check for XSS, I tried some payloads to trigger XSS but nothing worked for me, yes they put protection to prevent XSS attack but it was not good implmented, I was able to bypass their protection using iframe tag, the payload that I used was as below:

<iframe src=javascript:alert(1)>

4th bug: Disclose posts for users who blocked you

=================================

When you block a user in gettr webiste he will not be able to see your profile and posts, but I have found a way to bypass it, I noticed it is possible to see post for users who blocked you if you only know the post id for example:

https://gettr.com/post/userwhoblockedyou_post_id

If you go to above link with known user post id you will be able to see his post and also you will be able to give him a like :)

5th bug: Pin other users posts

=====================

Like other social platforms gettr aslo have an option for pinning posts, you can't pin other user post you can only pin post that you own, but in our case I have found a way to bypass this and I was able to pin other users post to my profile, in order to reproduce this bug, just pin your post and intercept the reqeust with burpsuite, you will see POST request like below:

POST /u/user/attacker_user_name/post/post_id/pin

change the post_id to other user post id (post that you don't own) and forward the request to the server, then go back to your profile page and you will see the that post been pinned to your profile :)