.png)
3 months ago
29 BOOK THIS SPACE FOR AD
ARTICLE AD
Hello Guys,
Hope Everything’s Fine.
This article is about my recently resolved bug in private program. This program was related to the retirement finance planning and contained lots of subdomains with less functionalities. Testing such program requires lots of recon to do. It has strict WAF and Rate limiting in place so it gives you only choice to do more manual recon.
While going through available functionality, i came across one domain with authentication. After testing for all authentication related functionalities , I came across password reset functionality.
As usual, I submitted my test email in the reset password form and went to test email account’s mailbox.
Password Reset Link
As per the screenshot , Password reset link was containing three parameters operation,authkey and uid(userid).
I quickly logged in to another account,noted its uid ,swap it on the above password reset link and fired the request.
As seen, With the updated UID request went successful and i was able to update the password of the another account that doesn’t belong to password reset link.
In summary ,UID was not tied with the Authkey. Knowing UID of any user could allow to reset password of his account and takeover it using this vulnerability.
Find me on Twitter: @bilalresearcher
Bengali (Bangladesh) · 
English (United States) ·