Password Reset Token Disclosure[Chilexpress]
This must be one of the most incredible vulnerabilities I have come across so far. Mainly because Chilexpress is a large company that (supposedly) has gone through several rounds of penetration testing and security certifications.
Vulnerability
This vulnerability occurs when the “forgot password” functionality of a web application or service returns sensitive information, including user credentials or password reset tokens, to an unauthorized user or attacker. It is a security flaw that can allow an attacker to gain unauthorized access to an account.
How I found the vulnerability
I often find web vulnerabilities in Chile by using day to day services. In this case, I opened a business account with Chilexpress (to send items more affordably and with some other advantages), and the first time I used it, I noticed something strange: When I entered my company’s RUT (tax identification number), it asked me to create a user with the name “User01,” and I couldn’t change the name. When I tried to log in again, I entered the RUT, and it automatically showed “User01.” I had never seen a page behave like that before.
A few weeks passed, and one day I decided to take a closer look at this strange login. I opened BURP and started reviewing the requests and responses of the application. To my surprise, when I clicked on the “Forgot Password” option, the response from the POST request returned all the user’s data: username, password, secret question, and answer to the secret question.
With the obtained credentials, I logged into the page to test the impact, which is important for the client/company to take you seriously. I tried using Falabella’s RUT and attempted to make a purchase worth over 17 million Chilean pesos (around $20,000) in cardboard boxes, but I obviously didn’t reach the final step. These business accounts work like post-payment accounts. You can make purchases without having to pay directly; it will be billed to the customer later.
It’s much easier to understand by watching a video. A video speaks louder than a thousand Medium posts:
The issue was reported, and the next day, I received a call from the company’s responsible parties. And then began the classic ritual of thanking me, requesting a quote to provide services to the company, but then nothing ever materializes. It would be much better if they paid a fee in Bitcoin or Chilean pesos that rewarded the effort and the risk mitigated for the company’s operations. Unfortunately, when I mentioned Bug Bounty Hunting to them, they had no idea about the topic.
In summary:
Reward: $0 + THANKS.
Promise of hiring: TRUE
Contracts finalized: 0
Learning: Always test everything, even the most obvious things. Never assume that just because a company is large, mature, or old, it couldn’t have serious and easily discoverable vulnerabilities.
