Password Reset Token Disclosure[Chilexpress]
This must be one of the most incredible vulnerabilities I have come across so far. Mainly because Chilexpress is a large company that (supposedly) has gone through several rounds of penetration testing and security certifications.
Vulnerability
This vulnerability occurs when the “forgot password” functionality of a web application or service returns sensitive information, including user credentials or password reset tokens, to an unauthorized user or attacker. It is a security flaw that can allow an attacker to gain unauthorized access to an account.
How I found the vulnerability
I often find web vulnerabilities in Chile by using day to day services. In this case, I opened a business account with Chilexpress (to send items more affordably and with some other advantages), and the first time I used it, I noticed something strange: When I entered my company’s RUT (tax identification number), it asked me to create a user with the name “User01,” and I couldn’t change the name. When I tried to log in again, I entered the RUT, and it automatically showed “User01.” I had never seen a page behave like that before.
A few weeks passed, and one day I decided to take a closer look at this strange login. I opened BURP and started reviewing the requests…