Account Take Over without user Interaction

Hello hunters, Hope you doing good.

I want to share you something about my finding, Which went DUPLICATE.

Lets dive into the topic.

Assume the program name Redacted.com .

Attack Vector :

  1. Application contains forget password functionality. Enter the victim email-id, capture the request and response.
Forget Password Request

2. In response I observed a token transmission. Got clarity after checking the inbox. That the token belongs to Reset password.

The response contains the token

3. Crafted the reset-password link by using “Token” value from the response :

https://Redacted.com/reset-password/09ef7xxx-xxxx-xxxx-xxxx-xxxxxxxxx62b?partner=

4. BOOM ! Successfully changed the victims password and access the account.

This is my first blog. Thanks for reading :)

GOOD LUCK ! Happy Hunting.

Like to change the things, without having proper authorization. 🤫

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store