Unauthorized access to any user’s account.
Hi everyone! This is Vikram Naidu, Bug bounty hunter and cybersecurity researcher from India. Hope you all are safe. This is my second writeup and it is about my recent finding on a private program where I was able bypass the authentication mechanism . I will be demonstrating how I was able to gain unauthorized access to all the user’s accounts and can see all their data. (In simple terms I was able to hack into anyone’s account without knowing their password).
Lets dive into the process . Below is the login portal where it asks user to enter user id and password.
I have observed that usernames of all the users are in fixed pattern.
So the usernames will look something like : *******001, *******002, *******003, etc .. and passwords are unique for every user.
First I have created 2 accounts(Victim account and attacker account). Now I have entered attacker’s username and password and checked the response of this request using burpsuite (proxy tool). It looks something like this :
If you observe the response from the server clearly , it is sending JWT (JSON WEB TOKEN).
WHAT IS A JSON WEB TOKEN?
A JSON web token(JWT) is JSON Object which is used to securely transfer information over the web(between two parties). It can be used for an authentication system and can also be used for information exchange. The token is mainly composed of header, payload, signature. These three parts are separated by dots(.)
After decoding the jwt token i have found out that its sending userid.
Here in payload data you can see attacker’s username as *********2. Now i have changed the payload data username to victim’s username and got new jwt token and I replaced it with my token in the response and forwarded the response to the browser to check if I am able to login to victim’s account or not. But as soon as I replaced and forwarded the response, browser showed victim’s username only but was not able to login completely , but I am sure that there is some misconfiguration here. So I tried the process from step 1 again to check the response. This time, before forwarding the response to browser I have changed the username to victim’s username in the browser itself. Check in pic below :
Here I have changed the username to *******106 and forwarded the response to the browser and as expected the server was vulnerable due to lack of validation and response manipulation. I was able to login to victim account. Check the screenshot below where i was able to see all his details and logged into his account.
Successfully achieved the mission . Hacked into victim’s account.
Note : I have reported it to the organization on 08–10–2020 and within hours it was fixed and received a $$$$ bounty.
Hope you enjoyed my blog.