Tale of account takeover — Sensitive info Disclosure + Broken Access Control

Md Saqib
Md Saqib
Jul 10, 2019 · 4 min read

Hi Mates, Myself Md Saqib from India I'm new to this bug hunting community, hope you are doing good. Today I'm gonna share an interesting Tale of Account Takeover Vulnerability on hackerone private Program. The vulnerability is a chaining of sensitive information disclosure(auth_token) of users through IDOR and bypassing password confirmation through broken access control. So let's get started! 😉

Image for post
Image for post

The program is a job portal site, as it is a private program we will call it as redacted.com, So I just signup as a candidate and testing for some CSRF and stored XSS on profile but I had no luck so I decided to create another account to test some IDORs and to get the understanding of how the site is working like registration, login, forgot password etc.. while create a new account I was intercepting every request of the site and seeing the response of it.. While Registering The site first asks for the email of the user to check it is already registered or not and then I enter a new email address there and checked the response

Image for post
Image for post
Leaking Auth_Token

I was like wait! What?? 🙄

“redirect_url”:“/?auth_token=_v2_8dsf8as
df12ad4f5a4sdf56as1df65asdf56sd4ff&contact_id=11cb26ae&e
xpire=1152315525”

This Looks interesting to me…. I go ahead and change the email to already existing account.

Image for post
Image for post
Indirect Object Reference on auth leakage

And I got auth_token of an existing account which means I can get anyone’s auth_token with this endpoint “/candidate/create” this is damm interesting. I just need to figure it out that how I can abuse it, Then I immediately look for the burp suite proxy history to see where the Auth_Token is used… and its very simple

https;//redacted.com/?auth_token=d8fs4ds8fdsf84
dsf8dsfads8fasd6f84dsf684dsafccv68f4&contact_id=52z1d5d4
&expire=1152315525

And I fired up incognito mode in the browser and hit the above link... AND BOOM!!! I was logged in the victim’s account... Oh yeah, account takeover. Amazing! I clicked on the profile to see if I can change the password or email of the victim’s account.. and you know what..? I can't see the profile of the victim...

OOhhhh Shit password confirmation!!!!! 😥 I was like 🤮

I decided to anyhow to bypass this shit.!

If you guys remember I told that I successfully logged into the victim’s account but when I click on profile it's asking for password confirmation which means somehow account is identified with this current cookie. So if I can change the email of the victim and then I can request the new password on my email.

Image for post
Image for post

I log in to my account to check how changing an email functionality works. I found this endpoint used to update email/change email ‘/api/profile’ which takes PATCH request with JSON formatted data `{“email_address”:“attackers@gmail.com”}`.

So I created a PATCH request on “https://redacted.com/api/profile” with my new email and JSON formatted body ‘{“email_address”:“mynewmail@gmail.com”}’ with victim’s cookie.

Image for post
Image for post
Voila! Success!!

As you can see below I successfully bypass password confirmation by changing the email of the victim to attacker’s mail, now I can request for password reset link in my mail and reset the password of the victim due to broken authentication on profile update endpoint.

Image for post
Image for post

Awesome! I was was Awarded 2500$ for this report and report resolved with 4 days..

Image for post
Image for post

After the resolved of this report I found another endpoint which can bypass the confirm password protection by changing the email address of the victim the endpoint look likes this “/contact/api/update/v1” and awarded again 150$ for the bypass.

Thank you, everyone! Hope you guys enjoyed this writeup.

Twitter: @sakyb

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store