Admin Account Takeover

Hi Guys!!!

Today, I am writing article about Admin Account Takeover Bug which I found on the Private program. I mostly works with the Private programs and was waiting for these programs to move to public so i could disclose this bugs. I waited so long and don’t know when this would happen so started to write articles again about my findings.

Obviously, I could not disclose the name of the program name so we would call it example.com throughout this article. I work with this program since long. This program regularly sends the update about the new functionality introduced.

Recently we got the update from the program that they introduced new functionality called “custom role” where admin can assign custom permissions to user and define a new role.

Custom Role Permission

As per the above screenshot , Admin could assign user management permission to custom role user.

Next step was login with this custom role user and navigate to the user management functionality. As it should be this user was not able to change the role of the admin or any other user management thing of the admin user.

Everything was as expected but one thing missed was this custom user was allowed to change the admin user’s email. As this user was low privledged than admin it should be disabled. So we changed the admin’s email to email in our control (attacker’s control) as per the below screenshot.

Upon changing this email we got the confirmation email on the newly updated email

We successfully updated admin’s email to our controlled email. Obviously we don’t know the password yest. So we used “forget password ” functionality and we received password reset email on our (attacker controlled ) email and we set the new password as per below screenshot.

This is how we were able to get the admin account takeover using custom role. This was identified as a High Impact Bug and received 4 digit $ Bounty.

Thanks for reading this article. Will Back soon with the another article.