.png)
3 years ago
145 BOOK THIS SPACE FOR AD
ARTICLE ADSummary: Insufficient Security Configurability | Flaw in Authentication
Steps-To-Reproduce:
Go to the https://www.partneradvantage.goog/ and click on Register as a new partner portal user.Now fill all the details. (i.e. Victim email, which is already registered and the rest of the detail which you want to update in the victim’s account.) and click to submit.
3. Now the victim will receive an email to verify and if he clicks to verify then the above-entered details will get change in the victim account.
4. Boom! You have changed the details in someone else account.
Attack scenario:
The system does not verify the registered email when entered by someone else. Consider the impact of the business if data can be modified and control of the account assumed, other than that the impact of this is that attacker can fill in the data first before the original account owner enters the system.
Timeline:
Jul 20, 2020 - Bug Reported to Google
Jul 21, 2020 - Status changes to Won’t Fix (Not Reproducible) | Explained how to reproduce the bug and Impact
Aug 3, 2020 - Accepted (reopened) ❤
Aug 10, 2020 - Bounty Awarded $500
So, this was my first bounty from Google. I have reported other minor issues and got Hall Of Fame.
Thanks for reading :)
Happy Hacking ;)
You can see many writeups coming up…
LinkedIn: linkedin.com/in/HemantSolo
Website:- hemantpatidar.me
Twitter:- twitter.com/HemantSolo
Instagram:- instagram.com/hemant_solo
Bengali (Bangladesh) · 
English (United States) ·