The “Oops, I Own Your Account” Password Reset Bug

Imagine waking up one day, sipping your coffee ☕, and thinking, “Let’s see if I can reset someone else’s password without their permission!” (For ethical hacking purposes, of course). Well, that’s exactly what I did… and guess what? It worked. 😎

This story is about how I discovered a critical Account Takeover vulnerability in a [REDACTED] platform’s password reset mechanism and reported it via a public bug bounty program on HackerOne.

Here’s how the magic happened:

I went to [REDACTED].com, entered my email, and clicked on that innocent-looking “Forgot Password” button.

As always, I had Burp Suite ready to sniff out anything suspicious. When I sent the password reset request, I noticed an interesting authenticity_token in the request.

Shortly after, I received the usual “Reset your password” email. The link looked something like this:

I noticed that clicking on the reset link actually redirected me to another URL:

This got me thinking: “What if I replace this token with the authenticity_token from Burp?” (Famous last words before breaking things).

I took the authenticity_token captured in Burp Suite, plugged it into the reset link like so:

And just like that… 🎉 I was on the password reset page, without needing the actual reset link from the email!

I successfully reset the password without ever having access to the victim’s email. Congratulations! You now have an Account Takeover vulnerability. 🏆

Severity: High 🔥

In the end, I got a hilarious story out of it. And that’s what really matters… right? Right?! 😭

Lesson learned? Always test your password reset mechanisms thoroughly. Otherwise, you might just end up featured in a hacker’s funny blog post. 😆

Shoutout to HackerOne and [REDACTED] team for the fun ride. Until next time, happy hacking! 👨‍💻💜

Follow me on Linkedin: https://www.linkedin.com/in/dinesh-kumar-cyber-security/