How I hijacked your account when you opened my cat picture

I set a goal for a particular program to find a way to take-over someone’s account. My goal was to be able to pick a random user (or all users) and take-over their account without any interaction.

I believe setting goals is something every bug hunter should do. I have noticed for myself that without a goal, you are just trying random things and are unlikely to accomplish anything useful. Goals can be things like “Find a SQLi in program X”, “Find an IDOR on program X” or “Find a take-over on program X”.

I had tried several things on this program trying to hijack accounts, when I looked to find an IDOR in the “Change Email” functionality. The request for changing your e-mail looked like this:

There is nothing like an OldEmail parameter in this request, so I don’t really see much of an opportunity for IDOR here. But something else caught my eye, the value for the g-recaptcha-response is empty. I don’t see any other CSRF Token, so there is no way they are checking for CSRF on this page.

One of the most important steps is to create a proper PoC. Without a PoC your report is useless. So I created a PoC which looked as follows:

This PoC worked, but when executing it I didn’t get this “wow” feeling an account take-over should have. There were several problems:

  1. The victim remained logged in on his account because the sessions were not invalidated.
  2. The PoC only worked one time because after that the account “new-email2@gmail.com” already existed.

Like most programs, this one didn’t care about logout-CSRF. Good for us. We can abuse this “feature” to make the PoC a little more interesting. To solve the second issue I simply added a random number to the e-mail so you could execute it multiple times.

The final PoC looked something like this:

I opted to use an input box to make it easier for the triage team to change it to an email they own themselves.

There are several things to be learned from this:

  • Out of scope / non severe bugs can be useful in a chain with other things
  • Make a great PoC to help developers better understand the severity of some issues.

I opted to mark the report as medium severity because there was still a lot of interaction required to exploit this.

I reported the bug on Intigriti and it got validated very quickly and I got a bounty in no time.

@MattiBijnens