In this blog post, i will talk about how i was able to compromise user accounts using HTTP parameter pollution vulnerability in the password reset page of a popular company. Below is a description about the vulnerability.
HTTP Parameter Pollution, as implied by the name, pollutes the HTTP parameters of a web application in order to perform or achieve a specific malicious task/attack different from the intended behavior of the web application.
Alert: Full Disclosure: I will be disclosing the details of the company as the company didn’t follow the responsible disclosure guidelines. I didn’t receive any response from the company regarding this vulnerability even after reporting them via multiple channels such as twitter, Facebook, LinkedIn, and Email. They also have a public Bug Bounty Program.
So the company is ReadMe. They just received $9 Million in funding recently. Read Here. ReadMe helps companies create and manage their documentation(including API documentation) all in one place. Big companies such as Coinbase, Microsoft, IBM, Mozilla, Trello etc are their clients. See full list here.
So here goes the details…..
After finding out about there bug bounty program from my friend, i started doing recon the website. After just creating account on the website dash.readme.io i started browsing it just like a normal user would do to understand the flow of the website.
Next, i tried to understand their password reset mechanism. They would just send a unique link to my email address for password reset such as this https://dash.readme.io/reset/l2s6ugXXXXXXXXXXXXXVAzLDMeVWXXX. Its a unique and tied to the particular email address. I tried resetting other accounts password but the token was tied to the email who requested the password.
Below are the details of the post request for the password reset. This will send a unique link to the email.
Here is the request that was modified to get reset link. By just adding another email parameter to the request with the attacker email address, you can get the password email for the victim. Both email addresses with receive the password reset link and the link is only valid for 20 mins.
Basically, the logic in the website creates a reset link for the first email address but send the link to both email addresses mentioned in the request. Now you can reset the account password for the victim email address.
BOOM!!!. ACCOUNT TAKEOVER
- Go to https://dash.readme.io/forgot/
- Start Burp Proxy and start intercepting requests
- Enter the email address of the victim on the website and click submit
- intercept request on burp and add another email parameter with the attacker’s email address and forward the request
- Now you will receive the email from readme regarding account password reset.
IMPACT: High!! at least for the customers :)
Readme customers page provides a good list of targets. You can collect a list of email addresses for a target company and send that through burp intruder. If any of those emails have readme account, you will receive the account password reset link for that account. Reset the password and access the account. Now you can modify the documentation and insert malicious links or misdirect users. The possibilites are endless.
07.30.2019: Notified the company about the bug with all the details via email. No Response.
08.02.2019: Contacted with their support via chat. No response.
08.04.2019: Contacted via twitter, LinkedIn and Facebook. No response.
09.05.2019: Still no response from the company…..
10.04.2019: Received response from the company acknowledging the bug. The company fixed the bug. Waiting on the bounty …. :)