Account Takeover by chaining two vulnerabilities.

First of all let me introduce myself. I am newbie to bug hunting and this is my first write-up so please ignore my mistakes.This is my first p2 that got triaged on Bugcrowd but this is not the reason behind this write-up.The reason behind this write-up is weird CSRF that i have encountered.I will try my best to explain these two vulnerabilities that are CSRF and Open Redirection that could lead to total account takeover.

I picked a random kudos program and start playing with it.Let’s call the program “example.com” because the bug is not resolve yet.The website have a functionality of adding secondary email that can be used for getting notifications and password reset link just like the primary email.Users can add their secondary email by going to email setting.Then they will receive confirmation email on their secondary email.When they click on confirm the “example.com” will ask for their credentials if they are not logged in that time and the website will pop-up a notification saying “Your secondary email is successfully added.

I added secondary email (attacker@test.com) on my test account (test_account@test.com) to check the flow and i got a confirmation email on my secondary email (attacker@test.com) asking me to confirm if i want to add this email to my test account.I clicked on confirm and the secondary email added to my test account.

Then i removed the secondary email from my test account because i wanted to check if there is a CSRF.Again i added my secondary email to my test account and capture the request with Burp.The CSRF tokens are there for the protection but when i removed the CSRF tokens and forward the request i received the confirmation link on my email just like before. i was like

But i need Victim credentials in order to add my email to his account.But what if i send the confirmation link to victim like reflected xss? If victim click on that confirmation link my email will be added to his account but the website will pop-up a notification saying “Your secondary email is successfully added” this way the attack will fail as victim will understand that a secondary email is added to his account.Let’s take a look at confirmation link which is “https://www.example.com/account/addEmail?email_ref=A3Ig_klkdfnw&st=2E67C2F5B0AF8DE90&redirect_url=email_settings”.As you can see “redirect_url” which is redirecting user to email_settings but what if i redirect user to other portion of the website like /home?So i changed the “redierct_url” to /home and the final url was “https://www.example.com/account/addEmail?email_ref=A3Ig_klkdfnw&st=2E67C2F5B0AF8DE90&redirect_url=home”.Now if user click on this link he will be redirect to home page of the website and our secondary email will be added without poping-up of any notification.

Then i made a proper CSRF attack page for confirmation and instead of adding my old secondary email (attacker@test.com) i added new email (attacker2@test.com) in CSRF attack page.When i run the CSRF attack page it through an error saying “missing CSRF tokens”. But when i added the old secondary email (attacker@test.com) in CSRF attack page it runs smoothly without any error and i received confirmation email just like before.

The website is processing the request without CSRF tokens for the email which has been added as a secondary email to any account before.But the website wont process the request without CSRF tokens if the email you are trying to add as secondary email has not been added before to any account.This is some weird CSRF and i spent good amount of time to figure this out.

I made a nice report and submitted it to the program.The Bugcrowd created a blocker because they were not able to reproduce it and asked me to send them the CSRF attack page with my own email.So i sent them a CSRF attack page containing my own email and i was able to get a confirmation email for their account and that was enough to get my report marked as triaged.After some days i got a response from Bugcrowd “Later today, you will receive an invitation to the example.com Private program and I kindly ask you to file a report in Private program with the same details (just copy paste the vulnerability report) and I’ll make you a surprise shortly after you will create the submission.
Be on the lookout for the private invitation email on your inbox :)”.Next day i received Private invitation from the program i just submitted the same report and within no time my report was marked as triaged to unresolved and i received a nice 4 digits bounty from the program :D

That’s it.Please ignore my mistakes as English don’t comes to me 😜.You can approach me on my twitter if you have any confusion.