SECURITY REPORT WRITEUP:

SECURITY REPORT WRITEUP:

Access Control Vulnerability Leaves Users Locked Out of Their Accounts.

Hello, My name is Ashar Mahmood, a passionate 20-year-old cybersecurity enthusiast, am thrilled to share the news of my debut security write-up. Recently, I had the privilege of discovering a noteworthy vulnerability, an accomplishment that not only brought me great satisfaction but also rewarded me with €500 euros 💶🤑🫰—a moment I will cherish forever. This write-up serves as a testament to my dedication and hard work, as well as a reminder of the potential impact a single vulnerability can have on the security of online platforms. With this achievement, I take a confident step forward on my cybersecurity journey, eager to make further contributions and establish myself as a promising talent in this dynamic industry.

Description:

A newly discovered access control vulnerability on a private program, left users trapped in an infinite refresh loop, rendering their accounts unusable. The incident sheds light on the importance of robust security measures in safeguarding user data.

At first I navigated to the platform’s website. Let’s assume it as Target.com, and accessed the login page.

Upon reaching the login page, I created two accounts:

1) For the Attacker and

2) Another for the victim.

Now I logged-in with Attacker account in one browser and victim account in another browser. Now from the attackers account I Visited edit profile features (probably every hacker’s favourite feature for testing😛).

I have previously got many issues on these features therefore I was pretty sure that I’d get something today. I noticed that the Email here is not changeable, therefore I edited the profile other data like first name, and turned on my Burp suite intercept.

(For those who doesn’t know about Burp suit visit URL: https://portswigger.net/burp/documentation/desktop/getting-started/intercepting-http-traffic )

I intercepted the request and noticed that there’s a “EMAIL:” Parameter.

This triggered me with a write-up where I read about an account takeover through “Email parameter". By now I got really exited and wanted to see what will happen if I enter someone else’s Email here. Here comes the Role of our Victim’s email address and account.

I entered the Victim’s Email address in the “Email:” parameter and turned off my Intercept.

This was the moment of truth, as I had no idea about the Impact of this. I visited the Victim’s account to see the Impact, for that I refreshed the Page, and Bam with the help of the attacker’s account I was able to change their email address to match that of the victim’s, causing an unintended association between the accounts.

Once the exploit was set in motion, the attacker’s account continued to function normally, while the victim, upon attempting to log in, was trapped in an endless cycle of refreshing, unable to gain access to their account.

The impact of this access control vulnerability cannot be underestimated. Users who fall victim to this exploit find themselves locked out of their accounts indefinitely, unable to utilize the platform’s services and potentially losing important connections and opportunities. Furthermore, such incidents can have detrimental effects on the reputation and user trust of the affected platform.

The incident serves as a sobering reminder that even established platforms must continually prioritize robust security practices to safeguard user data and maintain a trusted digital environment.