#BugBounty — “How I was able to hack any user account via password reset?”

Hi Guys,

During my recent bug bounty hunt, I came across a critical and yet simple vulnerability. We, all have had the moment when we make these accounts at various websites and barely use them and when we try to login back to those websites, we had to reset password.
A similar incident happened when I was trying to login to this website let’s say www.example.com , I couldn’t remember the password and then I clicked on forget password.

So let’s hack.

So, wwww.example.com sent me the password reset email and I noticed base64 encoding in the link. I quickly checked the link in Burp suite and it was like this:

https://www.example.com/members/update-password/<base64 encoded>/<base64 encoded2>

I used the inbuilt burp suite decoder and decoded it.
first one was decoded to : <email address>- -<company name>
second one was decoded to : <GMT +00 DateTime>- -<company name>

Then i checked for new account verification email. After signing up I got a verification email which was like this:

https://www.example.com/members/email-verification<base64 encoded>/<base64 encoded2>

As you can see both the forget password link and verification link was just using Base64 encoding in it’s link which decodes to email address of which i was trying to reset password or verify and — and the last one was company name; the second one was decoded to the GMT timestamp when i requested to forget password or trying to register along with — and again company name.

Here comes the next step of compromising user account. By visiting Facebook page of that company, I found many emails of valid user accounts in the comments.I was going to reset the password of one of that email but remembered it won’t be ethical. Never test users account without company permission, better create another test account and test.

An attacker can get valid users email from the Facebook page comments and reset their password which will lead to account takeover of any user. Never share your email address publicly.

I reported this vulnerability to the concerned company, and they were quick to patch it. I thank the company for the small token of appreciation :)

Thanks for reading!

~ BgxDoc ( https://twitter.com/BgxDoc )