Account Takeover Through Password Reset Poisoning

Vishal Bharad
Dec 19, 2019 · 3 min read

Introduction :

Hello, I am Vishal Bharad, I am Mechanical Engineer :D and working as Penetration Tester. I’m here to share about my findings on Full Account Takeover.

About the Vulnerability :

For Discovering the bug I have tested many tricks on the website. Assume redacted.com. When finding the bugs i decided that find some bugs on Forget Password Page.

I tried on many websites about 6 to 8 hours. Then after so many attempts I have found a big and interesting vulnerability which leads to Full Account Takeover

Tools Used for this Vulnerability:

  1. BurpSuite
  2. Ngrok Server

Steps to Reproduce:

  1. Go to https://redacted.com/users/forgot_password and type username to get forget password link.
  2. Capture this request in Burpsuite and add X-Forwarded-Host: bing.com
Added Host Header

3. Then forward the request and check your email. You got an email of Password reset with token. Which looks Like (https://bing.com/users/reset_password/tqo4Xciu806oiR1FjX8RtIUc1DTcm1B5Kqb53j1fLEkzMW2GPgCpuEODDStpRaES)

Here token is Leak to the bing.com. So Now to confirm this token is True or not. Put https://redacted.com instead of https://bing.com and open in browser.

4. So the password reset link is valid and i can able to reset the password.

After Finding this bug I have decided to Exploit it.

Exploitation:

After this I decided to perform How hacker can able to exploit this bug.

Followings are the Steps Regarding Exploitation.

  1. I created my server via ngrok which is Attackers server.
  2. Then Attacker go to the page which is https://redacted.com/users/forgot_password and type Victim username and capture the request in Burp suite.
  3. In captured request Attacker add “X-Forwarded-Host: ngrok.io” ngrok.io=ngrok server address.

4. So after that Victim can get the Password reset URL and the domain of that reset link is ngrok server address or domain. (For the exploitation It need victim interaction or one time click only)

5. Whenever victim is click on that link. Attacker can get the full token in his server

6. When attacker can get the password reset token he will only change the ngrok domain name to Main Domain to Takeover the Account.

Thank You

Disclosure :

  1. I reported to them 1st August
  2. They saw the report, steps to reproduce, and PoC(Screenshots, Videos).
  3. And, they rewarded me with 3 digit $(Between $700-$1000).

Thanks

Looking forward to share more blogs

Best Regards

Vishal Bharad

Linkedin Profile : https://www.linkedin.com/in/vishal-bharad-b476b388/

Vishal Bharad

Written by

Penetration Tester, Bug Bounty Hunter, Security Researcher

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade