InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties…

Follow publication

Account Takeover (User + Admin) Via Password Reset

Hello Everyone!

I’m Hemant Patidar, Final Year B.Tech - Civil Engineering Student at SRMIST, Chennai.

A Civil Engineer, Cyber Security Enthusiast, and a Bug Bounty Hunter by night.

Let’s start...

When I’m doing a password reset of our own account we notice that the password reset link sent to our email contain a token which was of five-digit number.

Later on, I came to the conclusion that while doing a password reset of two different users (i.e. Account A and B) in a consecutive manner then the server will assign a token for both the user in a consecutive number. So that if account A is an attacker’s account then the attacker can change the token ID to the next consecutive number and can change the password of account B i.e. victim’s account. Which leads to account takeover.

Example:

If account A received the link: https://dashboard.example.com/password-reset/form?token=28604

Then Account B will receive: https://dashboard.example.com/password-reset/form?token=28605

Now, Let’s takeover the admin account.

After some research, we have found that there is no separate login page for the admin user. Which means that the admin user might be preset over the same login page. So let’s find out the email address of the admin user’s so that we can takeover their accounts. We simply went on the “about-us” page of the website and found the Founder's email address. Now, Let’s takeover the admin account.

Steps-To-Reproduce:

  1. Open the URL in two different tabs: https://dashboard.example.com/login and perform a password reset for both accounts in a consecutive manner using the email address. (i.e. A - Your Account, B - Admin Account)
  2. Now open notepad and copy the password reset link of account A in a notepad (i.e. https://dashboard.example.com/password-reset/form?token=12345)
  3. Now change the Token ID to the next consecutive number. (As the Token ID assigned in a consecutive manner, If your’s is 12345 then the Admin token ID will be 12346)
  4. Now use the modified link i.e. https://dashboard.example.com/password-reset/form?token=12346 and reset the admin password.
  5. Boom!! Admin Account Takeover.

Impact:

Account Takeover Of Anyone

#bounty

Timeline:

Bug Reported: Jun 2, 2021

Bounty Rewarded: $200 on Aug 5, 2021

Thanks for reading :)

Happy Hacking ;)

You can see many writeups coming up…

Feel free to message me if you have any queries related to Bug Bounty Hunting

LinkedIn: linkedin.com/in/HemantSolo

Website:- hemantsolo.in

Twitter:- twitter.com/HemantSolo

Instagram:- instagram.com/hemant_solo

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Published in InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. Subscribe to our weekly newsletter for the coolest infosec updates: https://weekly.infosecwriteups.com/

Written by Hemant Patidar

I am a passionate cybersecurity researcher and bug bounty hunter who likes to learn more about hacking.

No responses yet

Write a response