Hi All
This is a short post on one of my findings in a Bugcrowd Private program, which could result in account takeover of any user by an attacker.
Vulnerability Type :
A2:2017 -Broken Authentication
Product Area:
Attack Vector:
Password Reset
Impact:
Unauthorized access to any User account
Proof of Concept:
The password reset functionality in this application was based on OTP validation. When we want to reset the password of an account, we just need to click on the reset button and an OTP will be sent to the user account email. The flaw here was that rate limiting was not set in place and thus giving an attacker endless opportunities to brute force a 6-digit OTP.
Here within some time, I was able to reset the password of an account by intercepting the request for OTP validation and bruteforcing the 6 digit number. Using this, it is possible to change and reset the password of any account, by changing the user data and brute-forcing the reset OTP.
Vulnerable request
Response
Brute forcing the OTP successfully allowed me to set new password for any E commerce user.
Disclosure Timeline:
11 Jul 2019 : Report sent to Bugcrowd Program.
4 Feb 2020 : Verified the fix
Related Reports : https://thehackernews.com/2016/03/hack-facebook-account.html