Cloud flare bypass leads to Account Takeover via Password Reset Poisoning

Hello fellow researchers, my name is Abdul Rehman Parkar, and I work at IZYITS.

In today’s write-up, we will delve into an Account Takeover (ATO) vulnerability and explain how I was able to bypass Cloudflare’s protections to exploit a password reset flow. This process, known as password reset poisoning, allowed me to gain unauthorized access to user accounts.

When you forget your password and click “Forgot Password,” the website usually sends a password reset link to your email. This link is supposed to be safe and unique to you. But in a password reset poisoning attack, an attacker finds a way to modify or “poison” the reset link sent by the website. This can allow them to control parts of the reset process, potentially redirecting the link to themselves or manipulating it to their advantage.

Returning to the write-up, here’s how I identified and exploited the Account Takeover vulnerability through password reset poisoning, despite Cloudflare’s protection.

For security reasons, I prefer not to disclose the actual name of the website or program, so I will refer to it as “traget.com.”