Zero Click account Takeover
.
.
.
السلام عليكم
my name is zahir , Bug bounty Hunter from Sudan
I will share a critical bug that I found in Upchieve program in h1
Description :-
I like to test reset password functionality , so I made a temp mail with mohmal and I signed up in upchieve
in reset password request there was a post Json parameter => email
“email":”me@mail.com”
and the response was
“msg”:”password reset email sent”
I tried to make the email parameter value as an Array with 2 mails to manipulate the functionality and send the email link to email1 and email2
{
“email”:[”victimMail”,”attackerMail"]
}
Nice , the msg is “password reset email sent"
I checked my 2nd mail “I didn’t sign up with it in upchieve and I got a reset password mail from upchieve
from : upchieve
To : my victim email , and my attacker email
I checked if the reset link token is the same in both emails and it was :’)
until now it’s a critical bug but I liked to escalate it more
my burp scanner found a email address disclosed belongs to upchieve
I can’t take over it ' as the program policy says but I mentioned it as the attack scenario
triaged with severity critical 9.8
Notice :-
email address is not private information you can get it from linkedin ..etc so this is a zero click ATO
I will share a tip with every writeup
Tip :- in reset password request
- use content type converter burp ext
2. convert the request to json , if the application accepted it try this trick
3. convert the request to xml and if the application accepted it u can try xxe
Twitter :- @zero_or_1