How I Discovered an Account Takeover Vulnerability (And Earned $300!)

Imagine waking up one morning, groggy-eyed, reaching for your phone — only to realize you’ve been digitally evicted from your own accounts. No warning, no suspicious emails, just poof — gone. Did you sleep-hack yourself? Did your cat walk across the keyboard with malicious intent? Nope. This is the magic of an Account Takeover (ATO) vulnerability — where attackers can hijack accounts with about as much effort as ordering a pizza.

Recently, I stumbled upon one such flaw in a website’s password reset mechanism. Instead of exploiting it for world domination (tempting), I did the responsible thing — reported it and bagged a $300 bug bounty.

The Hunt Begins…

Like any good cyber-sleuth (or just someone with too much time on their hands), I often poke around websites, trying to find their weaknesses. This time, I zeroed in on the password reset functionality — you know, that thing we all use when we forget our passwords for the hundredth time. Turns out, this one had a sneaky little flaw that made it possible to hijack accounts. Cue the dramatic music.

Step-by-Step Breakdown of the Exploit:

Here’s how an attacker could’ve pulled off this digital magic trick:

1. Request Password Reset: Attacker: “Let’s enter the victim’s email and see what happens.” 🤔 | Website: “Sure! Here’s a nice reset link, go crazy.” | Victim: completely unaware their account is about to be hijacked.

2. Victim Interaction: The victim clicks the reset link but then gets distracted — maybe a cat video, maybe an existential crisis. Either way, they don’t finish resetting their password.

3. Session Exploitation: Here’s where things get spicy. Because the website is terrible at managing sessions, an attacker can reload the reset page and — voilà! — they’re magically authenticated.

4. Password Reset: Attacker: “Why thank you, website! Let me just set a new password for myself.” | Victim: “Wait, why is my password not working anymore?”

And just like that, an innocent user gets locked out. Tragic. 😢

Proof of Concept (POC):

If you think I’m making this up, here’s the proof:

Impact:

This wasn’t just a minor inconvenience; this was a digital disaster waiting to happen. If left unfixed, bad actors could have taken over thousands of accounts, leading to identity theft, data breaches, and possibly someone’s mom losing access to her favorite online knitting forum.

Moral of the story? Password reset mechanisms are a goldmine for security flaws, and if you’re a bug hunter, they’re worth checking out. Plus, reporting vulnerabilities ethically can earn you some nice side cash — like my $300 bounty!

If you enjoyed this write-up, follow me for more cybersecurity chaos and bug bounty adventures.

LinkedIn: https://www.linkedin.com/in/antonyesthaktwinson

Notes:

I have intentionally not mentioned the target site for certain reasons. If you recognize it from the UI, please don’t spill the beans. Let’s keep it ethical!

And…. This is my first write-up, so if you have any suggestions, feel free to drop them! Be nice though — I’m fragile. 🫠