Cyber Shaolin by Burhan Khawaja

How I Was Able To Takeover Any Virustotal Account

Hi Everyone,

I’m back with one of my recent findings. Well, As you guys already know that Google is a huge MNC and it’s security is tough as Hell. So, technically it’s hard to find something like a ‘security flaw’.

Honestly, it was my dream to get my name on the ‘Google Hall Of Fame’. I saw some leets are already there and they have their names published in news. So, I started with a subdomain enumeration using sublist3r. I got many subdomains, also searched about Google Subdomains online.

You may be aware about a subdomain name Virustotal.com.

As, I was going through the major subdomains and thought to pay virustotal.com a visit. I quickly opened virustotal.com and went through all the features and noted em one by one. I was in search of some low hanging fruits, but got nothing out of it. I was little disappointed by that so I took a break. When I resumed precisely after few hours, to my surprise I forgot my account password… -/

I visited the ‘forgot password’ page and keyed in my details and recived an e-mail. I copied that ‘password reset’ link and opned in new tab and intercepted that request.

Everything went as usual with nothing worth special attention, but then I noticed something in the request . I captured this request and sent it to the repeater.
I visited the ‘forgot password’ page again, but this time I entered my second account details. I received the ‘password reset’ link.
Then, I did the same as i did with my first account,

I replaced my second account username with my first account username.

And, I forwarded the request.
Then I chose a new password and entered it twice as required. After that I tried to login to my first account nothumanninja.

But it said ‘wrong password’

Oops! 😎

Then I tried the new password…
BOOOOM!!!

Successfully Logged In…

I was generously rewarded by Google for this and even got my name added to the ‘Hall of Fame’.

Editors Note: Put a WEBGAP between you and the malware with a browser isolation technology or by leveraging a remote browser service.