Hello everyone, Recently, I discovered instances of account takeover resulting from password reset manipulation at both Cambridge and Drexel University. Regarding Drexel, I was so much excited to know that my fourth security issue discovery was acknowledged, following the resolution of three duplicate Cross-site scripting vulnerabilities.
Password reset poisoning is a technique whereby an attacker manipulates a vulnerable website into generating a password reset link pointing to a domain under their control. This behavior can be leveraged to steal the secret tokens required to reset arbitrary users’ passwords and, ultimately, compromise their accounts.
Generally, Users request the password reset link and uses it to change the password.
An attacker having active domain www.attacker.com, request password reset link for victim by inputting victims email address i.e firstname.lastname@example.org. Then the password reset link is received by the victim. The normal password reset link received by victim should be like the following:
But attacker manipulates the request so that the victim gets the password link like the following:
Now, when the victim clicks on the link, the userid along with the token is logged into the www.attacker.com which can be used by attacker to create new password and log into the victim’s account.
Generate crafted password reset request
- Intercept the password reset request in Burp Suite
- Change the host to www.attacker.com
If a web is vulnerable the inputted host is reflected in the password reset link
3. Send the request and observe the mail. The inputted host header i.e www.attacker.com may reflect in the password reset link as following:
An attacker can easily take over the victim account.
- Implement MFA for password resets, use unique reset tokens, and employ email verification.
- Users should ignore and report the unrequested password reset to an organization immediately