Full Account takeover (ATO) — a tale of two bugs 🐛
Hi everyone, I hope we’re all having a swell day. Before I jump into today's bug report, I’d like to express my sincerest gratitude for the engagement my previous write-up received. In this write-up, I’d be highlighting how I found and chained two seemingly low severity bugs, to achieve account takeover on a program that I cannot disclose due to an NDA- Let’s call this target, www.xyz.com.
An Account takeover (ATO) is when an attacker gains access to the data and privileges associated with a compromised account. The possibility of achieving this is largely dependent on the bugs present in the target application and the creativity of the hacker.
Now, let's start with the first bug, an API based Insecure Direct Object Reference (IDOR), which occurs when an application exposes a reference to an internal implementation object. In English 😅, it's when a part of an application allows you to request and receive information that you're not authorized to see.
In this attack, I intercepted and changed my ID in the body of the POST request,(POST /xyz.com/Account?handler=GetUserData) using, Burp Suite. After sending the request, I got the data of the victim as seen in figure 1.
As important as this bug was, I had to shelve it a little longer because who doesn’t love a good chained attack? Now on to the next bug.🎤
If you haven't been taking static code analysis seriously, I’m here to tell you that you’ve probably missed out on a couple of juicy bugs. Now let’s take a look at the block of code ( figure 2) which I found on the “User Account” page and try to figure out the next line of action….I promise I’ll wait. 😁
In figure 2, we see a copy of the current user’s session on the browser. The session contains the user’s Id, rights and permission. These values are subsequently sent back to the API services for data, in the name of the current user.
Leveraging on the information provided in the first bug, as seen in Figure 1. I reloaded the “User Account” page, intercepted it and modified my IDs to the victim’s IDs.
The result — full access to the victim’s account. N.B — In this attack, I go by the name, Shaibu Abudu and the victim, Eric.
To show impact, I changed the victim's password.
As always, your feedback on this write-up will be very much appreciated.
Disclaimer: This write-up is for educational purposes only. I am in no way responsible for its misuse.
