My name is Sumit Jain. I hope you all are good , scoring bounties 😉 Today i want to share one of my findings which i found on a private program.
So while searching some new private programs on Google , i found a newly launched cryptocurrency website security page. So i thought lets try my luck here .
So i create an account to dig more & try to test password reset functionality. After receiving the link i notice something weird as the email address is disclosed in the link with some token. I thought to test it more. I quickly create another account to understand it better.
So now i have two accounts User A(firstname.lastname@example.org) & User B(email@example.com). I tried to reset the password for User A . The Link i received is looks like
I change the value of email address with User B but it gives me error as i am not able to reset the password for User B
So i look for the token , it is a 8 digit code . I tried to Brute force the token value but my request got blocked after some attempts.
Now I generate a password reset link for User B & observe the token. Suddenly i noticed that the token is not generating randomly. Token is generating in increasing order. Great 😜
Now its time to takeover the account. I generate the password reset link for both accounts at same time .
The link i received for User A is
For User B
Its easy to guess the token & after changing with my reset link and email address , i am able to reset the password of User B which leads to account takeover of User B
the only thing i have to do is requesting the reset link in same time
Hope you guys like it while reading . Thank you very much
Until next time