Full Account Takeover via Changing Email And Password of any User through API Parameters

Adesh Kolte
Jul 26 · 2 min read

I’m going to talk about a common and strange password reset system that I have seen many times in Bug Hunting and in many VAPT projects. and in many cases this system opens the door to attacker to hack user’s accounts.

The story started when I was testing Change password function on this website but I found something interesting. After I changed my password successfully via Change Password Functionality, I noticed the following request:

After checking this request :

Then I asked other users for their email which use this web and successfully changed their passwords and got access to their accounts

Steps : 1.Attacker have to login with their account and Go to the Change password function

2. Start the Burp Suite and Intercept the request

3.After intercepting the request sent it to repeater and modify parameters Email and Password

(randomly used different users emails and changed their passwords : Takeovered :))

Timeline:

13–6–2018 : Vulnerability reported
15–6–2018 : Vulnerability Confirmed
23–6–2018 : Vulnerability Fixed

Thanks for reading :)

Adesh Kolte

Written by

Listed in Top 100 most respected hackers in the world by Microsoft at the BlackHat conference in America 2018

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade