#BugBounty — “Let me reset your password and login into your account “-How I was able to Compromise any User Account via Reset Password Functionality

Hi Guys,

One more interesting blog explaining an interesting vulnerability that I founded a while back in one of the Mobile Wallet Companies of India.

To login into any online website , we need to have an username which can be user’s registered mail id and password that he has set for it and if he doesn’t remember his password, there is a Reset Password Feature which comes to help. While researching out for the vulnerability around this feature , I found a logical flaw by which I was able to reset any user password and login with the same to takeover any user’s account.

Let’s now enter into the explanation-

  1. When I clicked on Reset password functionality for the account “testaccount09@gmail.com”, I received a mail saying “To reset the password , please click on the below link-” and the link was something —

http://www._________.com/account/resetpassword? id=296417&token=dGVzdGFjY291bnQwOUBnbWFpbC5jb20=&vit=MjAxNi8xMC8yNQ==

2. Here ‘id’ is the identification number associated with the user account and ‘token’ is the base64 decoded registered mail ID of the user which here is “testaccount09@gmail.com” and ‘vit’ is the base64 decoded time stamp whose value in this case is “2016/10/25”

3. Researching more, I have found that the timestamp parameter is the expiry date of the reset password link which here was 2 days ahead from the time user clicked on the reset password option.

4. Here comes the step of compromising user account.By user enumeration on the same page, I found one valid user account, generated forgot password link for it and now begins the task for finding the right reset password link, I replaced the mail id of the user and encoded it to base64 and kept the timestamp value to 2 days ahead of the current date.

Victim mail id — varun09811@gmail.com

Base64 encoded value (Parameter = token) — dmFydW4wOTgxMUBnbWFpbC5jb20=

Timestamp value (Parameter = vit) — MjAxNi8xMC8yNQ=

5. Another part comes here is to find “id” associated with that particular user mail id. Since it’s a 6 digit code so I tried brute forcing it (fortunately no rate limiting was set ) and after a while, I found the right id associated with the victim mail id which happens to be id=254346 .( yes, this is something time consuming ).

6. So the tampered URL looks like -

http://www._________.com/account/resetpassword/?id=254346&token=dmFydW4wOTgxMUBnbWFpbC5jb20=&vit=MjAxNi8xMC8yNQ=

I loaded the link in the browser, and I was presented with “Set new password” ,

New Password Set Page

I reset his password and was successfully able to login into his account. I had the complete access to his account, can use his wallet money , change registered mobile number and everything!


I reported this vulnerability to the concerned enterprise, and they were quick to patch it within 2 days. I thank the company for the small token of appreciation :)

Thanks for reading!

~Logicbomb (https://twitter.com/logicbomb_1)

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Avinash Jain (@logicbomb_1)

Written by

Lead Infrastructure Security Engineer @Grofers | DevSecOps | Speaker | Breaking stuff to learn | Featured in Forbes | Acknowledged by Google,NASA,Yahoo,UN etc

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

More From Medium

More from InfoSec Write-ups

More from InfoSec Write-ups

More from InfoSec Write-ups

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade