124 Followers
·
Follow

Account Takeover Vulnerability :)

Hello Everyone!

My name is Sumit Jain. I hope you all are good , scoring bounties 😉 Today i want to share one of my findings which i found on a private program.

So while searching some new private programs on Google , i found a newly launched cryptocurrency website security page. So i thought lets try my luck here .

So i create an account to dig more & try to test password reset functionality. After receiving the link i notice something weird as the email address is disclosed in the link with some token. I thought to test it more. I quickly create another account to understand it better.

So now i have two accounts User A(abc@gmail.com) & User B(xyz@gmail.com). I tried to reset the password for User A . The Link i received is looks like

https://example.com/en-gb/restore/setPassword/?token=sometoken-t-/emailAddress=abc@gmail.com

I change the value of email address with User B but it gives me error as i am not able to reset the password for User B

Image for post
Image for post

So i look for the token , it is a 8 digit code . I tried to Brute force the token value but my request got blocked after some attempts.

Now I generate a password reset link for User B & observe the token. Suddenly i noticed that the token is not generating randomly. Token is generating in increasing order. Great 😜

Image for post
Image for post

Now its time to takeover the account. I generate the password reset link for both accounts at same time .

The link i received for User A is

https://example.com/en-gb/restore/setPassword/?token=78964578-t/emailAddress=abc@gmail.com&uid=somevalue(random)

For User B

https://example.com/en-gb/restore/setPassword/?token=78964579-t/emailAddress=xyz@gmail.com&uid=somevalue(random)

Its easy to guess the token & after changing with my reset link and email address , i am able to reset the password of User B which leads to account takeover of User B

the only thing i have to do is requesting the reset link in same time

Hope you guys like it while reading . Thank you very much

Until next time

Image for post
Image for post

Written by

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store