How I discovered an interesting account takeover flaw?

Akash Methani
Jan 14 · 3 min read

Hi everyone, today I will talk about an interesting account takeover flaw which I found around a year back. The root cause of this issue was in the algorithm which was generating the password reset tokens.

Let’s consider the application as program.com

Like any other application on the web, this one also had a forget password functionality. I literally forgot my account’s password and requested for a reset link and something weird I noticed was, every time I request reset link for this account the first 3 characters of token would always remain same. This caught my attention and I started to dig.

https://program.com/forgot_password/<TOKEN-HERE>

After a few minutes, I realised these 3 characters were my email’s fourth letter to second letter in reverse order. For example, suppose you have an email address johndoe@domain.com and you request for a password reset link. The first 3 characters of token for this account would always be “nho” (without quotes) What the application did was, it picked the email’s fourth letter (n) and traversed in reverse order up to the second letter (o)

After finding this I thought since the first 3 characters of token were not random, chances are that remaining characters would also have a meaning.I requested tokens multiple times with this and one more test account and turns out, last few characters were the timestamp.

The only thing left to figure out now was the meaning of 2 characters which were in between of “nho” and the timestamp. I did a lot of things, tried analysing patterns in all the tokens requested so far but everything went in vain. I couldn’t find the meaning of those 2 characters (maybe they were random?)

I thought why not simply bruteforce for those 2 characters? Luckily, the application didn’t have rate limiting in place.

I requested for password reset links for two identical email addresses (johndoe@domain.com and johndoe@domain2.com) exactly at the same time. Since we sent the request at the same time and email’s username part is identical, tokens sent to both accounts would be same except those 2 random characters.

I checked inbox of second email and intercepting the request clicked the reset link. I then sent the request to burp’s intruder and started bruteforce attack for those 2 characters. After sending a few requests, I saw a 302 response which means I was successfully able to find reset token of first account and eventually could have takeover the account.

It was marked as P1/Critical. I hope you enjoyed the writeup.

You can follow me @0xAkash


A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Akash Methani

Written by

InfoSec Write-ups

More From Medium

More from InfoSec Write-ups

More from InfoSec Write-ups

Intro to Malware Detection using YARA

136

More from InfoSec Write-ups

More from InfoSec Write-ups

Diving into YarGen

155

More from InfoSec Write-ups

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade