#BugBounty — “Let me reset your password and login into your account “-How I was able to Compromise any User Account via Reset Password Functionality
One more interesting blog explaining an interesting vulnerability that I founded a while back in one of the Mobile Wallet Companies of India.
To login into any online website , we need to have an username which can be user’s registered mail id and password that he has set for it and if he doesn’t remember his password, there is a Reset Password Feature which comes to help. While researching out for the vulnerability around this feature , I found a logical flaw by which I was able to reset any user password and login with the same to takeover any user’s account.
Let’s now enter into the explanation-
- When I clicked on Reset password functionality for the account “email@example.com”, I received a mail saying “To reset the password , please click on the below link-” and the link was something —
2. Here ‘id’ is the identification number associated with the user account and ‘token’ is the base64 decoded registered mail ID of the user which here is “firstname.lastname@example.org” and ‘vit’ is the base64 decoded time stamp whose value in this case is “2016/10/25”
3. Researching more, I have found that the timestamp parameter is the expiry date of the reset password link which here was 2 days ahead from the time user clicked on the reset password option.
4. Here comes the step of compromising user account.By user enumeration on the same page, I found one valid user account, generated forgot password link for it and now begins the task for finding the right reset password link, I replaced the mail id of the user and encoded it to base64 and kept the timestamp value to 2 days ahead of the current date.
Victim mail id — email@example.com
Base64 encoded value (Parameter = token) — dmFydW4wOTgxMUBnbWFpbC5jb20=
Timestamp value (Parameter = vit) — MjAxNi8xMC8yNQ=
5. Another part comes here is to find “id” associated with that particular user mail id. Since it’s a 6 digit code so I tried brute forcing it (fortunately no rate limiting was set ) and after a while, I found the right id associated with the victim mail id which happens to be id=254346 .( yes, this is something time consuming ).
6. So the tampered URL looks like -
I loaded the link in the browser, and I was presented with “Set new password” ,
I reset his password and was successfully able to login into his account. I had the complete access to his account, can use his wallet money , change registered mobile number and everything!
I reported this vulnerability to the concerned enterprise, and they were quick to patch it within 2 days. I thank the company for the small token of appreciation :)
Thanks for reading!