.png)
3 hours ago
7 BOOK THIS SPACE FOR AD
ARTICLE AD
Hello, everyone! 👋
I’m Dhananjay Pathak, a passionate security researcher, and I’m excited to share my recent discovery of an email change vulnerability that could lead to a pre-account takeover. In this post, I’ll walk you through how I uncovered a simple flaw in the email change process, which allows attackers to take control of a user’s account. I’ll break down each step so you can understand how I identified this critical issue and its potential security risks for users.
Vulnerability Summary: While investigating, I found a flaw in the email change process that lets someone change a user’s email address without proper verification. This loophole allows an attacker to bypass the usual email confirmation step, making it easier for them to take control of a user’s account.
Let’s dive into the step-by-step process of how I discovered this vulnerability!
The first step is to find all possible subdomains associated with the target. I recommend using multiple tools for subdomain enumeration to ensure comprehensive coverage.
sublist3r -d target.com -v -o ~/target/sublister_subdomains.txtsubfinder -d target.com -o ~/target/subfinder_subdomains.txt
amass enum -passive -norecursive -noalts -d target.com -o ~/target/amass_subdomains.txt
To avoid duplicates and consolidate all the subdomains into one file, we can merge and sort the results.
cat ~/target/subfinder_subdomains.txt ~/target/sublister_subdomains.txt ~/target/amass_subdomains.txt | anew ~/target/all_subdomains.txtOnce we have the subdomains, it’s time to check which ones are actually alive and responding. For this, I used HTTPX, a tool designed to filter live subdomains efficiently.
httpx -l ~/target/all_subdomains.txt -o ~/target/live_subdomains.txtOnce you’ve identified live subdomains, the next step is to look for those that offer registration and login functionalities. These functionalities are often prime targets for testing account-related vulnerabilities, such as authentication bypass, account takeover, or IDOR issues.
After analyzing the subdomain’s functionality, I tested various features. During the email change process, I discovered an interesting behavior:
Email Change Link Details:When requesting to change my email, I received a confirmation link:https://app.target.com/email-link/weblogin/v7/account/newemail?email=████████&token=██████████email parameter: Contains the new email address.token parameter: Contains the corresponding token.
2. Vulnerability Identified:
By intercepting the request and modifying the email parameter to any arbitrary email address, the server still accepted the request when sent with the valid token.This allowed me to change the user account’s email address to any random email without additional verification.3. Impact:
This can lead to account takeover by redirecting password reset emails or other account notifications to an attacker-controlled email address.After confirming the vulnerability, I submitted a detailed report on HackerOne, outlining the steps to reproduce, the impact, and a proof-of-concept.
A few days later, I received a notification that my report had been successfully accepted and triaged. The security team acknowledged the significance of the vulnerability, appreciating the thoroughness of my submission.
If you enjoyed this write-up and found it useful, don’t forget to follow me on Twitter! You can reach out to me anytime; just drop me a DM. 😊
Thanks for reading! 🙌 Stay safe, and keep hacking ethically! 💻
Bengali (Bangladesh) · 
English (United States) ·