Zero Click account Takeover

2 min readJun 19, 2021

السلام عليكم

my name is zahir , Bug bounty Hunter from Sudan

I will share a critical bug that I found in Upchieve program in h1

I like to test reset password functionality , so I made a temp mail with mohmal and I signed up in upchieve

in reset password request there was a post Json parameter => email

“email":”me@mail.com”

and the response was

“msg”:”password reset email sent”

I tried to make the email parameter value as an Array with 2 mails to manipulate the functionality and send the email link to email1 and email2

{

“email”:[”victimMail”,”attackerMail"]

}

Nice , the msg is “password reset email sent"

I checked my 2nd mail “I didn’t sign up with it in upchieve and I got a reset password mail from upchieve

from : upchieve

To : my victim email , and my attacker email

I checked if the reset link token is the same in both emails and it was :’)

until now it’s a critical bug but I liked to escalate it more

my burp scanner found a email address disclosed belongs to upchieve

I can’t take over it ' as the program policy says but I mentioned it as the attack scenario

triaged with severity critical 9.8

Notice :-

email address is not private information you can get it from linkedin ..etc so this is a zero click ATO

I will share a tip with every writeup

Tip :- in reset password request

2. convert the request to json , if the application accepted it try this trick

3. convert the request to xml and if the application accepted it u can try xxe

Twitter :- @zero_or_1