PII Leakage via IDOR + Weak PasswordReset = Full Account Takeover

4 years ago 168
BOOK THIS SPACE FOR AD
ARTICLE AD

Since the program does not allow disclosure, let’s consider the program as redacted.com. It started when i began to test the reset password functionality of the target. Just like any other website, the forgot password on https://redacted.com/forgotpassword also sent a email to the registered mail address for the password change. The reset password link was as below:

https://redacted.com/forgot_password/5f12cc7079f273.12051864/1597479504/NTg4NTg4a2lsbGVyQGdtYWlsLmNvbWFzZGZnaGprbDkxODI3Mzc0NjUwMDA=+++NTg4NTg4a2lsbGVy+++NTg4NTg4

The link did not expire even after changing the password.Weird Right!!. Requesting for reset password once again gave the following link:

https://redacted.com/forgot_password/8ac79ccf2a33.12057854/1597486704/NTg4NTg4a2lsbGVyQGdtYWlsLmNvbWFzZGZnaGprbDkxODI3Mzc0NjUwMDA=+++NTg4NTg4a2lsbGVy+++NTg4NTg4

The thing to observe is that the last part of the URL is same for both the link.

Image for post

Image for post

After analyzing the above link:

1597486704 → Unix Time Stamp

The last part of the url was base64, decoding which gave the following:

588588killer@gmail.comasdfghjkl9182737465000+++588588killer+++588588

Here, 588588 is my User ID and killer@gmail.com is my email address. But wait, what was the gibberish look-alike thing [asdfghjkl9156837463000]?

Nevermind, after playing with the link for some time, I found that only the last part of the URL I,e the userID was being validated by the server for the password reset.

https://redacted.com/forgot_password/5f12cc7079f273.12051864/1597479504/NTg4NTg4a2lsbGVyQGdtYWlsLmNvbWFzZGZnaGprbDkxODI3Mzc0NjUwMDA=+++NTg4NTg4a2lsbGVy+++[VALIDATED_PART]

So now, If i knew the userID any user, I could change his password with ease. Win? Nah!!

Read Entire Article