Hi everyone, today I will talk about an interesting account takeover flaw which I found around a year back. The root cause of this issue was in the algorithm which was generating the password reset tokens.
Let’s consider the application as program.com
Like any other application on the web, this one also had a forget password functionality. I literally forgot my account’s password and requested for a reset link and something weird I noticed was, every time I request reset link for this account the first 3 characters of token would always remain same. This caught my attention and I started to dig.
After a few minutes, I realised these 3 characters were my email’s fourth letter to second letter in reverse order. For example, suppose you have an email address email@example.com and you request for a password reset link. The first 3 characters of token for this account would always be “nho” (without quotes) What the application did was, it picked the email’s fourth letter (n) and traversed in reverse order up to the second letter (o)
After finding this I thought since the first 3 characters of token were not random, chances are that remaining characters would also have a meaning.I requested tokens multiple times with this and one more test account and turns out, last few characters were the timestamp.
The only thing left to figure out now was the meaning of 2 characters which were in between of “nho” and the timestamp. I did a lot of things, tried analysing patterns in all the tokens requested so far but everything went in vain. I couldn’t find the meaning of those 2 characters (maybe they were random?)
I thought why not simply bruteforce for those 2 characters? Luckily, the application didn’t have rate limiting in place.
I requested for password reset links for two identical email addresses (firstname.lastname@example.org and email@example.com) exactly at the same time. Since we sent the request at the same time and email’s username part is identical, tokens sent to both accounts would be same except those 2 random characters.
I checked inbox of second email and intercepting the request clicked the reset link. I then sent the request to burp’s intruder and started bruteforce attack for those 2 characters. After sending a few requests, I saw a 302 response which means I was successfully able to find reset token of first account and eventually could have takeover the account.
It was marked as P1/Critical. I hope you enjoyed the writeup.
You can follow me @0xAkash