#BugBounty — “Let me reset your password and login into your account “-How I was able to Compromise any User Account via Reset Password Functionality

Hi Guys,

One more interesting blog explaining an interesting vulnerability that I founded a while back in one of the Mobile Wallet Companies of India.

To login into any online website , we need to have an username which can be user’s registered mail id and password that he has set for it and if he doesn’t remember his password, there is a Reset Password Feature which comes to help. While researching out for the vulnerability around this feature , I found a logical flaw by which I was able to reset any user password and login with the same to takeover any user’s account.

Let’s now enter into the explanation-

  1. When I clicked on Reset password functionality for the account “testaccount09@gmail.com”, I received a mail saying “To reset the password , please click on the below link-” and the link was something —

http://www._________.com/account/resetpassword? id=296417&token=dGVzdGFjY291bnQwOUBnbWFpbC5jb20=&vit=MjAxNi8xMC8yNQ==

2. Here ‘id’ is the identification number associated with the user account and ‘token’ is the base64 decoded registered mail ID of the user which here is “testaccount09@gmail.com” and ‘vit’ is the base64 decoded time stamp whose value in this case is “2016/10/25”

3. Researching more, I have found that the timestamp parameter is the expiry date of the reset password link which here was 2 days ahead from the time user clicked on the reset password option.

4. Here comes the step of compromising user account.By user enumeration on the same page, I found one valid user account, generated forgot password link for it and now begins the task for finding the right reset password link, I replaced the mail id of the user and encoded it to base64 and kept the timestamp value to 2 days ahead of the current date.

Victim mail id — varun09811@gmail.com

Base64 encoded value (Parameter = token) — dmFydW4wOTgxMUBnbWFpbC5jb20=

Timestamp value (Parameter = vit) — MjAxNi8xMC8yNQ=

5. Another part comes here is to find “id” associated with that particular user mail id. Since it’s a 6 digit code so I tried brute forcing it (fortunately no rate limiting was set ) and after a while, I found the right id associated with the victim mail id which happens to be id=254346 .( yes, this is something time consuming ).

6. So the tampered URL looks like -


I loaded the link in the browser, and I was presented with “Set new password” ,

New Password Set Page

I reset his password and was successfully able to login into his account. I had the complete access to his account, can use his wallet money , change registered mobile number and everything!

I reported this vulnerability to the concerned enterprise, and they were quick to patch it within 2 days. I thank the company for the small token of appreciation :)

Thanks for reading!

~Logicbomb (https://twitter.com/logicbomb_1)