Block vectim from resetting his password
Pease upon you everone ..
today i am going to discuss an abnormal bug that allowed me to block legitimate user from resetting his password in the same time he can reset the password for the attacker email !
seems weired just follow …
site not allowd to disclose its reports so let’s consider it site.com.
while investigating site for more than few weeks i came across a functionality that allow you to add a user beside your primary user. but the bug was that u can modify primary user email and here is the issue.
what i did was that i have modified the primary email to we can say vectim email (vectim@gmail.com)// i will explain why we called it vectim below. and what that does is when a real-primary mail request to reset his password the reset token will be sent to vectim@gmail.com to rest the real-primary mail
and when vectim@gmail.com request to reset his password he will recieve an email to reset real-primary mail too, so her we denied legitimate user form resetting his password.
here is how to reproduce:
1- enter your account with real-primary@gmail.com and modify the primary mail to vectim@gmail.com
2- now if real-primary@gmial.com request a reset token the link it will be sent to vectim@gmail.com and it will reset real-primary@gmail.com
3- when vectim@gmail.com request to reset his password he also will recieve email to reset real-primary@gmail.com and he can’t now reset his password
thank you for reading ! hope you enjoyed it…
you can find me on twitter @0xMohamed_Ayad
also linkedin @0xmh3yad