Password reset to full account takeover
yes i know, this is my first write-up and the bug that i’m going to talk about is neither that complicated nor that hard to find.
i decided to start sharing and writing so the following letters are just a first step.
i was working on a private program (a website of a company which performs payments, receive and send money online).
let’s name it www.redacted.com
when a user requests to reset his password through “ forgot password ” using his email address, he gets redirected to
and a verification code is sent to the user’s inbox
so i created another account, requested a verification code and used it on the first reset form (assuming it as a victim account), and i got :
so yes, it was that simple and i think it doesn’t even need a write-up but i wanted to talk about it because of two reasons :
1- it is a global payment service, and used by millions of users !
2- it provides users with a visa card and at that time the website was not using 2FA or even a more secure password reset process ( like asking for a birthday date etc…)
the bounty was frustrating at the first time, so i contacted the CEO, and he requested to raise it, and they did but it was not fair at all, but i had to accept it :p
i hope you enjoyed the write-up and see you in another good finding.