Accidental Account takeover

Hello Security Community,

Let’s start the writeup. I was testing a team management App. There are multiple roles and permission level functions. At the sign page there is an email address and password based authentication system. So i sign up with my Admin , manager and readonly accounts using firefox container.

Email verification with token look like this.

email verification token link

I copied this url from my mail box in chrome. I saw this token is uuid based and unguessable. I moved forward in the dashboard to check other functions. while testing the app. I tried to copy a link but somehow it didn’t work. I opened a private window and pasted that link but that copied link didn’t work so my clipboard already has an email verification link. i was in hurry i didn’t saw what i pasted and i clicked searched i saw dashboard of target app. I thought that token is for one time use but i am wrong. Then i searched that token in burp search function i got to know that its userID of user.

So i Started looking other users userID in responses of api. its team based app there is Users page i captured that request and in response i got userId of every user which are listed there.

i got access of every employee which are in my team.

To increase the severity i started looking this userID in other part of application. then i found out feedback page where multiple users and company employee commenting on each other feedback. GOLDMINE.

i takeover employee account for poc.

Goodbye until next time!

From Infosec Writeups: A lot is coming up in the Infosec every day that it’s hard to keep up with. Join our weekly newsletter to get all the latest Infosec trends in the form of 5 articles, 4 Threads, 3 videos, 2 GitHub Repos and tools, and 1 job alert for FREE!