Bug Chain leads to Mass Account Takeover!

3 years ago 216
BOOK THIS SPACE FOR AD
ARTICLE AD

Mass account takeover via password reset functionality.

Shubhayu Majumdar

I have always thought of finding a P1 or P2 bug to write a medium article which would mean that I have really done some good research and have gotten better at bug hunting. Fortunately, I did some good research and got my hands on few bugs, which I chained, leading to mass account takeover.

I’m Shubhayu Majumdar, currently pursuing BTech in Computer Science and I hunt bugs as a hobby. I recently came across a set of bugs on a private program. To maintain privacy, I’ll refer to the website as redated.in.

What is an account takeover vulnerability?

This vulnerability allows the attacker to gain unauthorized and full access to the victim’s account by exploiting the authentication flaw in the application.

Now let's have a look into the bugs individually.

Bugs found:

Default SQL data dump.Account takeover via Password Reset functionality.Re-registration using the same email.

To give an overview, I could easily take over a user’s account via a logic flaw present in the password reset functionality. In addition to that, the SQL dump exposed information of all users. Together, I get to take over the account of all users who have ever created an account on the website.

Default SQL data dump

While testing the website, I came across a few interesting end-points. Two of them sums up the data dump.

redated.in/backup. Which gave a response

Response of visiting redated.in/backup

Response of visiting redated.in/backup

Response of visiting redated.in/backup

2. redated.in/backup.sql. Which dumped the backed up data

Response of visiting redated.in/backup.sql

Response of visiting redated.in/backup.sql

Response of visiting redated.in/backup.sql

And this data dump had all the user’s login information like the usernames, passwords (MD5 hashed), email addresses/phone numbers depending on the mode user used to register the account. And it looks like

User data leaked via data dump

User data leaked via data dump

User data leaked via the data dump

Here, my username, hashed password value and email have been dumped.

Account takeover via Password Reset functionality

When I tried to recover my account by resetting the password, I found the reset page takes the username and email to validate if the account exists. Upon validation, it directly gives an option to set a new password without any Two-Factor authentication.
Honestly, I didn’t expect such a website to have poor password reset logic.

Password reset page of redated.in

Password reset page of redated.in

Password reset page of redated.in

Re-registration using the same email

I also found that it was possible to register a different username with an already used email. But this created a problem. For some reason, both the accounts now cannot reset their passwords. This is also a major vulnerability in itself.

Chaining the bugs

You must have already guessed it by now. We can easily find the user details from the SQL data dump and use it to take over the accounts of all users. After applying the new password, we create another account with a random username and the same email address as the victim account. This will ensure they cannot recover their accounts via password reset.

Every user who has created an account and every user who would have created their accounts in future are vulnerable to lose their accounts that too permanently.

They could have evaded the vulnerabilities by having proper Two-factor authentication during password reset. And prevent the creation of multiple accounts with the same email address.

It was really fun hunting on this website and I’ll be publishing more articles and write-ups in the upcoming days.

Hope you enjoyed it :)

Cheers & Stay Safe !! :) ❤

Connect me at LinkedIn ._. Twitter

Read Entire Article