How I was able to Takeover Accounts on Foxit.com
Hello to all Security Researchers and Bug Hunters who is reading this blog, Im Jefferson Gonzales also new in bug hunting, so without wasting your time lets beggin
First I used dork to find a Responsible Disclosure Program and while searching I found foxit.com
I created an account on foxit.com and exploring the functionalities but I found nothing inside, then I logout my account and testing the forgot password functionality.
First I put my email and submit, then I got my reset password link in my email like this
Nothing suspicious on the link, then I review my history on burp suite and I got this request while requesting a reset password
As you can see in the image above the parameter “resetPasswordUrl:” is the same as the link in my reset password that sent to my email earlier
Me thinking what if I change the link inside the “resetPasswordUrl:” to https://google.com?
Then I change to https://google.com and I got this request sent to my email
And Boom! It was successful, using this vulnerability I can takeover any account only knowing the email of the victim
Let’s try to test the account takeover with burp collaborator
First I reset the password of my victims email and change the “resetPasswordUrl:” with my burp collaborator link
And the victim received a message like this
If the victim click that link I will received the response in my burp suite collaborator like this
Then I can takeover the victims account
- Reported time: June 9, 2021
- Bug Fixed: June 22, 2021
Appreciation by Foxit
Thank you for reading this writeup 😁
Contact me on
Twitter: @gonzxph
LinkedIn: @gonzxph
