Full Account Takeover via Password Reset Link Manipulation

Introduction
In 2021, while exploring the diverse landscape of cybersecurity vulnerabilities reported by the bug bounty community, I came across a compelling and critical security issue detailed in a HackerOne report by a fellow bug hunter. This particular vulnerability, documented under HackerOne report #1175081, highlighted a significant flaw in the password reset functionality of a web platform. The reported vulnerability caught my attention due to its simplicity in execution and the profound impact it could have on user account security. It allowed for an unauthorized full account takeover through clever manipulation of the password reset link process.

This report aims to outline my journey in reproducing this vulnerability, demonstrating its potential for exploitation, and stressing the critical importance of securing web application workflows against such attack vectors.

Description of the Vulnerability
The vulnerability was identified within the password reset process, which is intended to provide users with the ability to regain access to their accounts by resetting their passwords through a secure link sent to their email addresses. However, a flaw in the system’s request handling allows an attacker to intercept and manipulate the password reset request to gain unauthorized access to any user account.

Steps to Reproduce
1. Initiate Password Reset: Navigate to https://test.com/resetpassword and enter the victim’s email address to initiate the password reset process.

2. Intercept Request: Using a web proxy tool like Burp Suite, intercept the outgoing request made by the password reset form.

3. Modify Request Payload: In the intercepted request’s JSON body, modify the email parameter to include an array with both the victim’s email and the attacker’s email, as follows:

4. Forward Modified Request: Forward the modified request through the proxy tool, allowing it to reach the server.

5. Receive Password Reset Link: Both the victim and the attacker receive the password reset email, containing the same link to reset the password.

6. Account Takeover: Use the reset link received in the attacker’s email to reset the victim’s account password, effectively taking over the account.

Impact Analysis
The exploitation of this vulnerability is critical due to the following reasons:

No User Interaction Required: The attack can be performed without any action or interaction from the victim, making it a silent and effective method for account takeover.
Access to Sensitive Information: Once an account is compromised, an attacker can access private and sensitive information, potentially leading to further attacks or identity theft.
Potential for Widespread Abuse: The simplicity of the attack vector allows it to be replicated across any account on the platform, posing a significant security risk to all users.

Conclusion
The identified vulnerability poses a severe security risk, allowing attackers to gain unauthorized access to any user account with minimal effort and no requirement for victim interaction. The platform’s developers must address this issue promptly by implementing more stringent validation and verification mechanisms within the password reset process. This could include ensuring that the email parameter cannot accept multiple addresses and instituting additional steps to verify the identity of the requestor.