#BugBounty — “Let me reset your password and login into your account “-How I was able to Compromise any User Account via Reset Password Functionality

Avinash Jain (@logicbomb)
InfoSec Write-ups
Published in
3 min readMar 14, 2018

Hi Guys,

One more interesting blog explaining an interesting vulnerability that I founded a while back in one of the Mobile Wallet Companies of India.

To login into any online website , we need to have an username which can be user’s registered mail id and password that he has set for it and if he doesn’t remember his password, there is a Reset Password Feature which comes to help. While researching out for the vulnerability around this feature , I found a logical flaw by which I was able to reset any user password and login with the same to takeover any user’s account.

Let’s now enter into the explanation-

  1. When I clicked on Reset password functionality for the account “testaccount09@gmail.com”, I received a mail saying “To reset the password , please click on the below link-” and the link was something —

http://www._________.com/account/resetpassword? id=296417&token=dGVzdGFjY291bnQwOUBnbWFpbC5jb20=&vit=MjAxNi8xMC8yNQ==

2. Here ‘id’ is the identification number associated with the user account and ‘token’ is the base64 decoded registered mail ID of the user which here is “testaccount09@gmail.com” and ‘vit’ is the base64 decoded time stamp whose value in this case is “2016/10/25”

3. Researching more, I have found that the timestamp parameter is the expiry date of the reset password link which here was 2 days ahead from the time user clicked on the reset password option.

4. Here comes the step of compromising user account.By user enumeration on the same page, I found one valid user account, generated forgot password link for it and now begins the task for finding the right reset password link, I replaced the mail id of the user and encoded it to base64 and kept the timestamp value to 2 days ahead of the current date.

Victim mail id — varun09811@gmail.com

Base64 encoded value (Parameter = token) — dmFydW4wOTgxMUBnbWFpbC5jb20=

Timestamp value (Parameter = vit) — MjAxNi8xMC8yNQ=

5. Another part comes here is to find “id” associated with that particular user mail id. Since it’s a 6 digit code so I tried brute forcing it (fortunately no rate limiting was set ) and after a while, I found the right id associated with the victim mail id which happens to be id=254346 .( yes, this is something time consuming ).

6. So the tampered URL looks like -

http://www._________.com/account/resetpassword/?id=254346&token=dmFydW4wOTgxMUBnbWFpbC5jb20=&vit=MjAxNi8xMC8yNQ=

I loaded the link in the browser, and I was presented with “Set new password” ,

New Password Set Page

I reset his password and was successfully able to login into his account. I had the complete access to his account, can use his wallet money , change registered mobile number and everything!

I reported this vulnerability to the concerned enterprise, and they were quick to patch it within 2 days. I thank the company for the small token of appreciation :)

Thanks for reading!

~Logicbomb (https://twitter.com/logicbomb_1)

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Published in InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. Subscribe to our weekly newsletter for the coolest infosec updates: https://weekly.infosecwriteups.com/

Written by Avinash Jain (@logicbomb)

Security Engineer @Microsoft | DevSecOps | Speaker | Breaking stuff to learn | Featured in Forbes, BBC| Acknowledged by Google, NASA, Yahoo, UN etc

Responses (5)

What are your thoughts?