Password Reset Token Disclosure[Chilexpress]

9 months ago 58

Philippe Delteil


Trying to reset a password might just give it to the attacker.

This must be one of the most incredible vulnerabilities I have come across so far. Mainly because Chilexpress is a large company that (supposedly) has gone through several rounds of penetration testing and security certifications.

This vulnerability occurs when the “forgot password” functionality of a web application or service returns sensitive information, including user credentials or password reset tokens, to an unauthorized user or attacker. It is a security flaw that can allow an attacker to gain unauthorized access to an account.

I often find web vulnerabilities in Chile by using day to day services. In this case, I opened a business account with Chilexpress (to send items more affordably and with some other advantages), and the first time I used it, I noticed something strange: When I entered my company’s RUT (tax identification number), it asked me to create a user with the name “User01,” and I couldn’t change the name. When I tried to log in again, I entered the RUT, and it automatically showed “User01.” I had never seen a page behave like that before.

A few weeks passed, and one day I decided to take a closer look at this strange login. I opened BURP and started reviewing the requests and responses of the application. To my surprise, when I clicked on the “Forgot Password” option, the response from the POST request returned all the user’s data: username, password, secret question, and answer to the secret question.

With the obtained credentials, I logged into the page to test the impact, which is important for the client/company to take you seriously. I tried using Falabella’s RUT and attempted to make a purchase worth over 17 million Chilean pesos (around $20,000) in cardboard boxes, but I obviously didn’t reach the final step. These business accounts work like post-payment accounts. You can make purchases without having to pay directly; it will be billed to the customer later.

It’s much easier to understand by watching a video. A video speaks louder than a thousand Medium posts:

Read Entire Article