Password Reset Vulnerability — Full Account takeover (Insecure Direct Object Reference)

Jun 22, 2019 · 3 min read

Hello everyone,

This is Muhammad Asim Shahzad a.k.a protector47!

Today I’m gonna share another interesting finding which is a password reset vulnerability without user interaction.

Image for post
Image for post

Basically, the vulnerability allows me to reset the password of any user if I know the username of the victim and luckily the target application was also vulnerable to user enumeration vulnerability.

Vulnerability Explanation:

These type of vulnerabilities occurs when a server does not validate the inputs properly, Input validation is one of the most important and necessary security control.

So without wasting more time let’s start…..

I was testing a private Bug Bounty Program on HackerOne, I was looking for user enumeration first.

Forgot password panel is the best place to enumerate the registered users of an application, I enumerate the user from forgot password after that I observe the target application has some different mechanism to reset the password.

Image for post
Image for post

Means it take the username, email, and security questions and then allow the user to reset the password on the same page, there is no password reset token functionality, etc, etc.

How I exploit the vulnerability?

  1. First, I create two accounts on the application (Suppose as the attacker’s account and as the victim’s account)
  2. I went to the forgot password panel and enter attacker account information.
  3. I enter the attacker “Login ID” and “Email” and move to the next step which is “Security Questions”
  4. Now I again entered the attacker’s “Security Questions” and intercept the request.
  5. I found in the intercepted request, There are security question plus email address and username as well.
  6. I thought what if I change the email address and username with the victim’s email address and username?
  7. I change the email address and username with the victim’s email address and a username and forward the request.
  8. I reached to the password reset screen, I was totally blind if will update the password then which account’s password will be reset.
  9. I reset the password and booooom! Got an email on victim's email address that your password has been reset.
Image for post
Image for post
Celebration time :D

What I actually have done, I enter the attacker’s username, email and security questions on the forgot password panel and before move on the password reset screen, I just change the email and username with victim’s email and username :D

Earned $1,200 :)

Image for post
Image for post

Thanks a lot for reading my writeup!

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store