I am 12 year old Shahriz Marks; also called 5kyw41k3r. Recently I found that you can change your username illegally on Ford. This can happen due to lack of authentication. Unfortunately, Ford marked my issue as informative.
Today I am go talk about exploiting it.
Before starting, this is for educational purposes only and I am not responsible for any of your actions.
What exactly is Unauthorized username change?
It is the ability to be able to change the username without any permission of the victim user. This can happen due to problems in API call-out and authentication of requests.
How to exploit it?
Before starting, you will need an installation of Burpsuite. You can find it on https://portswigger.net/.
- Go to Ford’s Website and login to your account.
- After login, make sure you head over to Your account, My information, Sign in credentials
- Click on the little pencil icon and make minor changes to your username.
- Click update and intercept that request in Burpsuite proxy.
- Now send this request to the repeater.
- Modify the request such that the
usernameparameter is changed. Like this.
- Hit Go!
- As you can see, you get a 200 OK response code.
- Now, reload your browser and see the miracle.
As you saw, the username is changed. You can make this work regardless the victim being logged out or logged in. All you need is the intercepted request of username change.
What will happen if I am able to perform this?
Well, if you are able to perform this, you need to warn the company about this. This can cause serious damage including account take over and identity theft.
Ford if you are reading this…
You really need to fix this issue and please be sure to write to me back. I can guide you how to fix this.
That was is for my blog and I hope to see you soon!