Full Account Takeover via Changing Email And Password of any User through API Parameters

Adesh Kolte
Jul 26, 2019 · 2 min read
Image for post
Image for post
chaliye shuru Karte Hai

I’m going to talk about a common and strange password reset system that I have seen many times in Bug Hunting and in many VAPT projects. and in many cases this system opens the door to attacker to hack user’s accounts.

The story started when I was testing Change password function on this website but I found something interesting. After I changed my password successfully via Change Password Functionality, I noticed the following request:

Image for post
Image for post

After checking this request :

Image for post
Image for post
Shocked

Then I asked other users for their email which use this web and successfully changed their passwords and got access to their accounts

Steps : 1.Attacker have to login with their account and Go to the Change password function

Image for post
Image for post

2. Start the Burp Suite and Intercept the request

3.After intercepting the request sent it to repeater and modify parameters Email and Password

(randomly used different users emails and changed their passwords : Takeovered :))

Image for post
Image for post
proof of concept
Image for post
Image for post

Timeline:

13–6–2018 : Vulnerability reported
15–6–2018 : Vulnerability Confirmed
23–6–2018 : Vulnerability Fixed

Thanks for reading :)

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store