Password reset to full account takeover

Hi

yes i know, this is my first write-up and the bug that i’m going to talk about is neither that complicated nor that hard to find.

i decided to start sharing and writing so the following letters are just a first step.

i was working on a private program (a website of a company which performs payments, receive and send money online).

let’s name it www.redacted.com

when a user requests to reset his password through “ forgot password ” using his email address, he gets redirected to

https://www.redacted.com/en/reset-password/reset/CbagrB45USRBLQb30xt2QiLnKrkFBQzD

and a verification code is sent to the user’s inbox

so i created another account, requested a verification code and used it on the first reset form (assuming it as a victim account), and i got :

so yes, it was that simple and i think it doesn’t even need a write-up but i wanted to talk about it because of two reasons :

1- it is a global payment service, and used by millions of users !

2- it provides users with a visa card and at that time the website was not using 2FA or even a more secure password reset process ( like asking for a birthday date etc…)

the bounty was frustrating at the first time, so i contacted the CEO, and he requested to raise it, and they did but it was not fair at all, but i had to accept it :p

i hope you enjoyed the write-up and see you in another good finding.

happy hunting.

Hamza.