Let me takeover your account

Hello everyone ! Welcome back again to my medium post, its been a while… i miss all of my fellow bug hunter, or security enthusiast reader :D

Well, after 2 blog post, i assuming that you’ve already know who i am, im just a indonesian boy trying to achieve my goals by doing bug bounty in my free time hehe. So yeah, in todays blog i want to tell you how did i found my first account take over at one of indonesian startup company that serve a call center services. Actually im quite lucky finding the bug on that company. Before we dive into the technical stuff. Allow me to explain really quick about what is account takeover?

account takeover is a vulnerability that allow bad actor / attacker to gain unauthorized access to a user’s account on a website, application, or service. Well the yeah account takeover definition is not that hard, because just from the name, we know that this vulnerability about. But the question is how do we takeover someone account? How do those bad actor do it? There is many vulnerabilities that we can use to takeover someone account

But in this blog i want to share you, how did i found a account takeover by only using reset password functionality and a victim account. So ive talked too much and lets get deep into the technical stuff shall we?

So first of all, let say this website name xyz.com, as ive said in my previous blog, my methodology for testing website, its not doing subfinder, or doing wayback, etc. first of all i just went straight to login page and testing for low hanging fruits like No rate limit, Redirect, etc. But no luck, ive found nothing on the login page.

But of course as a bug hunter, the one set mental skill that we need is never giving up, we need to keep trying until the gold is dragged out from the mine. So after that i went into the reset password stuff and suddenly when i get the password link, i was thinking “hmm maybe there is a parameter that can be changed during the reset password, so yeah i test that out. i went into the forgot password -> open the link in burpsuite and before clicking reset password i turn on my intercept and found this kind of request

Im sorry for the blurry picture, but by those picture, are your bug hunter sense is tingling?

If so, then wow your sense is really strong and right, What u sense right now is what i sense too when i found that request

_token=STJhLPU4zVJZ9o4IgA1v5KyCdfmM3p43STe25QVB&token=b2bd717f-2f1e-441b-b7c6–00d4cc914419&email=victimjodyritonga%40gmail.com&member_password=&member_password_confirmation=

At that time i was thinking “hmm maybe when i change the email parameter to other email, they didnt do validation and i can change someone else password, and i try. when i try using my other email account

_token=STJhLPU4zVJZ9o4IgA1v5KyCdfmM3p43STe25QVB&token=b2bd717f-2f1e-441b-b7c6–00d4cc914419&email=jodyritonga%40gmail.com&member_password=&member_password_confirmation=

And BOOM ! GOTCHA YA ! i got a 302 code and tell that the reset was successfull, and when i check my victim account and login using the password that just been reseted through attacker account. it worked, and my reaction like

And yes i went reported the vulnerability, and the company say thanks to me and giving me some appreciation $$$.

So hope you can learn something from this simple account takeover method, keep hacking fellow hackers ! dont let duplicate stop you :D