.png)
3 years ago
259 BOOK THIS SPACE FOR AD
ARTICLE ADMass Account Takeover via password reset functionality.
Recently I’ve been a lot into account takeover vulnerabilities and did find few good ones. This time, it’s an easy one, but if used right, it has a huge impact.
I’m Shubhayu Majumdar, currently pursuing BTech in Computer Science, and I hunt bugs as a hobby. Recently a YouTuber I follow launched his website, and I knew I had to try to find bugs here too. To maintain privacy, I’ll refer to the website as redated.in.
What is Insecure Direct Object References (IDOR)?
This is a type of access control vulnerability that arises when an application uses user-supplied input to access objects directly without any filters.
What is an account takeover vulnerability?
This vulnerability allows the attacker to gain unauthorized and full access to the victim’s account by exploiting the authentication flaw in the application.
Now, let's look at the bugs.
Bugs found:
IDOR in the password reset functionalityTo help understand better, having IDOR vulnerability means there is a chance of horizontal privilege escalation. Which can help tamper with sensitive information across users.
IDOR in the password reset functionality
While testing the application, I tried to reset my password. This gave me an API endpoint that takes in two parameters. User ID and the new password.
On changing the “userid” parameter to the next value, I received a 200 OK response. Hence, IDOR vulnerability can be confirmed.
Escalating the bug
We can now iterate through all user IDs and set a password through the vulnerable endpoint leading to a mass account takeover. This is how a simple vulnerability like IDOR if used right, can have a huge impact.
There was an OTP verification mechanism implemented, but the API endpoint didn’t have any additional parameters or headers to protect against such vulnerability. This could be evaded by having additional parameters or headers and proper validation at the backend.
I did find a few more vulnerabilities on the same website like OTP bypass and Open Redirection, but this was the most impactful. It was quite fun overall.
Hope you enjoyed it :)
Cheers & Stay Safe !! :) ❤
Bengali (Bangladesh) · 
English (United States) ·