Password Reset Vulnerability — Full Account takeover (Insecure Direct Object Reference)

Muhammad Asim Shahzad
Jun 22 · 3 min read

Hello everyone,

This is Muhammad Asim Shahzad a.k.a protector47!

Today I’m gonna share another interesting finding which is a password reset vulnerability without user interaction.

Basically, the vulnerability allows me to reset the password of any user if I know the username of the victim and luckily the target application was also vulnerable to user enumeration vulnerability.

Vulnerability Explanation:

These type of vulnerabilities occurs when a server does not validate the inputs properly, Input validation is one of the most important and necessary security control.

So without wasting more time let’s start…..

I was testing a private Bug Bounty Program on HackerOne, I was looking for user enumeration first.

Forgot password panel is the best place to enumerate the registered users of an application, I enumerate the user from forgot password after that I observe the target application has some different mechanism to reset the password.

Means it take the username, email, and security questions and then allow the user to reset the password on the same page, there is no password reset token functionality, etc, etc.

How I exploit the vulnerability?

  1. First, I create two accounts on the application (Suppose abc@gmail.com as the attacker’s account and xyz@gmail.com as the victim’s account)
Celebration time :D

What I actually have done, I enter the attacker’s username, email and security questions on the forgot password panel and before move on the password reset screen, I just change the email and username with victim’s email and username :D

Earned $1,200 :)

Thanks a lot for reading my writeup!

Muhammad Asim Shahzad

Written by

Synack Red Team Member | Bug Bounty Hunter at HackerOne | Pentest Engineer at Trillium Information Security Systems.