.png)
3 years ago
153 BOOK THIS SPACE FOR AD
ARTICLE ADSince the program does not allow disclosure, let’s consider the program as redacted.com. It started when i began to test the reset password functionality of the target. Just like any other website, the forgot password on https://redacted.com/forgotpassword also sent a email to the registered mail address for the password change. The reset password link was as below:
https://redacted.com/forgot_password/5f12cc7079f273.12051864/1597479504/NTg4NTg4a2lsbGVyQGdtYWlsLmNvbWFzZGZnaGprbDkxODI3Mzc0NjUwMDA=+++NTg4NTg4a2lsbGVy+++NTg4NTg4
The link did not expire even after changing the password.Weird Right!!. Requesting for reset password once again gave the following link:
https://redacted.com/forgot_password/8ac79ccf2a33.12057854/1597486704/NTg4NTg4a2lsbGVyQGdtYWlsLmNvbWFzZGZnaGprbDkxODI3Mzc0NjUwMDA=+++NTg4NTg4a2lsbGVy+++NTg4NTg4
The thing to observe is that the last part of the URL is same for both the link.
After analyzing the above link:
1597486704 → Unix Time Stamp
The last part of the url was base64, decoding which gave the following:
588588killer@gmail.comasdfghjkl9182737465000+++588588killer+++588588
Here, 588588 is my User ID and killer@gmail.com is my email address. But wait, what was the gibberish look-alike thing [asdfghjkl9156837463000]?
Nevermind, after playing with the link for some time, I found that only the last part of the URL I,e the userID was being validated by the server for the password reset.
https://redacted.com/forgot_password/5f12cc7079f273.12051864/1597479504/NTg4NTg4a2lsbGVyQGdtYWlsLmNvbWFzZGZnaGprbDkxODI3Mzc0NjUwMDA=+++NTg4NTg4a2lsbGVy+++[VALIDATED_PART]
So now, If i knew the userID any user, I could change his password with ease. Win? Nah!!
Bengali (Bangladesh) · 
English (United States) ·