Password Reset Token Disclosure[Chilexpress]

Philippe Delteil
Hacking/Security
Published in
2 min readSep 18, 2023

--

Trying to reset a password might just give it to the attacker.

This must be one of the most incredible vulnerabilities I have come across so far. Mainly because Chilexpress is a large company that (supposedly) has gone through several rounds of penetration testing and security certifications.

Vulnerability

This vulnerability occurs when the “forgot password” functionality of a web application or service returns sensitive information, including user credentials or password reset tokens, to an unauthorized user or attacker. It is a security flaw that can allow an attacker to gain unauthorized access to an account.

How I found the vulnerability

I often find web vulnerabilities in Chile by using day to day services. In this case, I opened a business account with Chilexpress (to send items more affordably and with some other advantages), and the first time I used it, I noticed something strange: When I entered my company’s RUT (tax identification number), it asked me to create a user with the name “User01,” and I couldn’t change the name. When I tried to log in again, I entered the RUT, and it automatically showed “User01.” I had never seen a page behave like that before.

A few weeks passed, and one day I decided to take a closer look at this strange login. I opened BURP and started reviewing the requests…

--

--

Hacking/Security
Hacking/Security

Published in Hacking/Security

Escritos relacionados a hacking, cybersecurity y todo lo asociado, parecido y similar.

No responses yet