Weak Password Setting function on practo.com

This is my bug bounty story……so lets get started with the bug without further talking.

The target was Practo.com

So I haven’t set my password when i came up with this issue (I logged in with OTP) . When Itried to login via browser i was prompted for setting password and this request was in play.

Request
Popup asking us to set password

Enter some value of both the fields and set password …we now have a password for our account.

Now let exploit.

If we try to change the password we need the old password.

we need old pass to change

Lets bypass this…..

From the above request we can see that the link for asking us setting new password is

https://accounts.practo.com/fill_password?create_password=True&mobile=%2B91[my_mobile_no]&intent=fabric&next=%2Fcheckid_request&account_flow=True&view_type=normal">https://accounts.practo.com/fill_password?create_password=True&mobile=%2B91[my_mobile_no]&intent=fabric&next=%2Fcheckid_request&account_flow=True&view_type=normal

If we go back to this link we can see this

I was surprised !! This link should have expired but its still active. I put new password and the password was changed without the old password.

Just change [my_mobile_no] to your registered mobile no. Thats it!!!

Reported on : Oct 1, 2020, 12:12 AM

Response : Oct 9, 2020, 12:36 AM

Response from the developer

Wont be fixed but they will change the feature :)

No hall of fame will be provided.