Password reset to full account takeover

Hamza Bettache
Jun 15, 2018 · 2 min read


yes i know, this is my first write-up and the bug that i’m going to talk about is neither that complicated nor that hard to find.

i decided to start sharing and writing so the following letters are just a first step.

i was working on a private program (a website of a company which performs payments, receive and send money online).

let’s name it

when a user requests to reset his password through “ forgot password ” using his email address, he gets redirected to

and a verification code is sent to the user’s inbox

so i created another account, requested a verification code and used it on the first reset form (assuming it as a victim account), and i got :

so yes, it was that simple and i think it doesn’t even need a write-up but i wanted to talk about it because of two reasons :

1- it is a global payment service, and used by millions of users !

2- it provides users with a visa card and at that time the website was not using 2FA or even a more secure password reset process ( like asking for a birthday date etc…)

the bounty was frustrating at the first time, so i contacted the CEO, and he requested to raise it, and they did but it was not fair at all, but i had to accept it :p

i hope you enjoyed the write-up and see you in another good finding.

happy hunting.


Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store