A tale of zero click account takeover

Hello there!
I hope everything is going well with you; today I’m back with the story of my first critical discovery on Hackerone, which is also my 1st $$$$ bounty.

Initial Recon:
As usual, I began with subdomain discovery and began probing it. I was more interested in this target because the scope was a wildcard: *.target.com. I didn’t come across any unusual or interesting subdomains during my subdomain scanning.
That is why I started looking for main domain. After few days of messing around with features in main domain, I came over a broken access control to view Personal information of any user, Anyone could view personal information including emailID, Address, PhoneNumber, Date of Birth and many more by passing a unique userID to following endpoint:
/api/Customer/GetAdditional?customerId=

So, I reported the vulnerability quickly. As aspected, triager was asking info about how do i get that unique id to disclose PII of other user. I tried looking every features and everything i could do, but was unable to get any other user’s unique id.

After few days, it was closed as informative as i was unable to find those unique userID.

The Game Changer:
I didn’t gave-up, I was still looking for things on the same site. One day, while I was browsing the site by proxifying it with Burp, I came over a javascript file which was discovered by BurpJSLinkFinder which you can get from BApp Store. I beautified it and saved the code locally then started looking after it. After spending few hours in analyzing the JS code, I came over an endpoint: /api/AdditionalCustomerFields which was disclosing UserID of all customers up to the date. Then i simply replied to closed report by explaining how i was able to get unique UserID of every user on that site which leaded to mass PII discloser of every user of the target. After few days, it was reopened and triaged as High.

Critical Where?

The game didn’t ended here, as the JS code was found interesting, I planned to dig more deeper. After few days, I came over an endpoint /api/PushToken which was taking the same UserID parameter as post request and returning critical information including passwordHash and resetToken on it’s response. Luckily, it was too lacking access control.

As, I was able to get reset token by passing unique UserID of any user. I was able to chain it with older finding, since i had userID of every users on the site. I could simply do forget password and use the recoveryToken which i could get through /api/PushToken endpoint. Here is the steps to reproduce for account takeover of every users on the site:

1. Sending /api/AdditionalCustomerFields request would give every user’s unique UserID.
2. Sending request to /api/Customer/GetAdditional?customerId= with UserID would disclose his/her email address.
3. Resetting the password of user which i got from step2.
4. Sending POST request to /api/PushTokenwith unique UserID in body would simply show the recovery code requested on step3.

This is how, I could simply takeover anyone’s account on the site.

Takeaways:

• Never Give up (Good things takes time).
• Try to understand the site and try every features.
• Don’t forget to analyze JS file, they can contain lots of sensitive information and hidden endpoints.

Bonus: You can learn more about utilizing JS files to find hidden endpoints and sensitive informations here:
https://www.bugbountyhunter.com/guides/?type=javascript_files

That is all for this time,
Hope you enjoyed the writeup. Happy New Year ❤️
You can find me on Twitter , if you wish to connect with me.

If you are just starting out in any field of Cyber Security, Pentester Nepal community can be very helpful for you, make sure to join it.