Tale of account takeover — Sensitive info Disclosure + Broken Access Control
Hi Mates, Myself Md Saqib from India I'm new to this bug hunting community, hope you are doing good. Today I'm gonna share an interesting Tale of Account Takeover Vulnerability on hackerone private Program. The vulnerability is a chaining of sensitive information disclosure(auth_token) of users through IDOR and bypassing password confirmation through broken access control. So let's get started! 😉
The program is a job portal site, as it is a private program we will call it as redacted.com, So I just signup as a candidate and testing for some CSRF and stored XSS on profile but I had no luck so I decided to create another account to test some IDORs and to get the understanding of how the site is working like registration, login, forgot password etc.. while create a new account I was intercepting every request of the site and seeing the response of it.. While Registering The site first asks for the email of the user to check it is already registered or not and then I enter a new email address there and checked the response
I was like wait! What?? 🙄
“redirect_url”:“/?auth_token=_v2_8dsf8as
df12ad4f5a4sdf56as1df65asdf56sd4ff&contact_id=11cb26ae&e
xpire=1152315525”
This Looks interesting to me…. I go ahead and change the email to already existing account.
And I got auth_token of an existing account which means I can get anyone’s auth_token with this endpoint “/candidate/create” this is damm interesting. I just need to figure it out that how I can abuse it, Then I immediately look for the burp suite proxy history to see where the Auth_Token is used… and its very simple
https;//redacted.com/?auth_token=d8fs4ds8fdsf84
dsf8dsfads8fasd6f84dsf684dsafccv68f4&contact_id=52z1d5d4
&expire=1152315525
And I fired up incognito mode in the browser and hit the above link... AND BOOM!!! I was logged in the victim’s account... Oh yeah, account takeover. Amazing! I clicked on the profile to see if I can change the password or email of the victim’s account.. and you know what..? I can't see the profile of the victim...
OOhhhh Shit password confirmation!!!!! 😥 I was like 🤮
I decided to anyhow to bypass this shit.!
If you guys remember I told that I successfully logged into the victim’s account but when I click on profile it's asking for password confirmation which means somehow account is identified with this current cookie. So if I can change the email of the victim and then I can request the new password on my email.
I log in to my account to check how changing an email functionality works. I found this endpoint used to update email/change email ‘/api/profile’ which takes PATCH request with JSON formatted data `{“email_address”:“attackers@gmail.com”}`.
So I created a PATCH request on “https://redacted.com/api/profile” with my new email and JSON formatted body ‘{“email_address”:“mynewmail@gmail.com”}’ with victim’s cookie.
As you can see below I successfully bypass password confirmation by changing the email of the victim to attacker’s mail, now I can request for password reset link in my mail and reset the password of the victim due to broken authentication on profile update endpoint.
Awesome! I was was Awarded 2500$ for this report and report resolved with 4 days..
After the resolved of this report I found another endpoint which can bypass the confirm password protection by changing the email address of the victim the endpoint look likes this “/contact/api/update/v1” and awarded again 150$ for the bypass.
Thank you, everyone! Hope you guys enjoyed this writeup.
Twitter: @sakyb
