Account Takeover (User + Admin) Via Password Reset
Hello Everyone!
I’m Hemant Patidar, Final Year B.Tech - Civil Engineering Student at SRMIST, Chennai.
A Civil Engineer, Cyber Security Enthusiast, and a Bug Bounty Hunter by night.
Let’s start...
When I’m doing a password reset of our own account we notice that the password reset link sent to our email contain a token which was of five-digit number.
Later on, I came to the conclusion that while doing a password reset of two different users (i.e. Account A and B) in a consecutive manner then the server will assign a token for both the user in a consecutive number. So that if account A is an attacker’s account then the attacker can change the token ID to the next consecutive number and can change the password of account B i.e. victim’s account. Which leads to account takeover.
Example:
If account A received the link: https://dashboard.example.com/password-reset/form?token=28604
Then Account B will receive: https://dashboard.example.com/password-reset/form?token=28605
Now, Let’s takeover the admin account.
After some research, we have found that there is no separate login page for the admin user. Which means that the admin user might be preset over the same login page. So let’s find out the email address of the admin user’s so that we can takeover their accounts. We simply went on the “about-us” page of the website and found the Founder's email address. Now, Let’s takeover the admin account.
Steps-To-Reproduce:
- Open the URL in two different tabs: https://dashboard.example.com/login and perform a password reset for both accounts in a consecutive manner using the email address. (i.e. A - Your Account, B - Admin Account)
- Now open notepad and copy the password reset link of account A in a notepad (i.e. https://dashboard.example.com/password-reset/form?token=12345)
- Now change the Token ID to the next consecutive number. (As the Token ID assigned in a consecutive manner, If your’s is 12345 then the Admin token ID will be 12346)
- Now use the modified link i.e. https://dashboard.example.com/password-reset/form?token=12346 and reset the admin password.
- Boom!! Admin Account Takeover.
Impact:
Account Takeover Of Anyone
Timeline:
Bug Reported: Jun 2, 2021
Bounty Rewarded: $200 on Aug 5, 2021
Thanks for reading :)
Happy Hacking ;)
You can see many writeups coming up…
Feel free to message me if you have any queries related to Bug Bounty Hunting
LinkedIn: linkedin.com/in/HemantSolo
Website:- hemantsolo.in
Twitter:- twitter.com/HemantSolo
Instagram:- instagram.com/hemant_solo
