Unleashing Chaos: The Tale of the 0-Click Account Takeover

Hi There! I’m Hassaan Muhammed, a PT @BugSwagger LLC

fellow psycho security, to a riveting journey through the treacherous terrain of web vulnerabilities. Today’s tale is a spine-tingling saga of wits, whimsy, and a dash of audacity as we uncover the secrets of a 0-click account takeover via the innocuous “Change Email” function. So strap in, hold onto your hats, and let’s dive headfirst into the abyss of digital mischief.

NOTE: I’m not writing this for beginners to explain what is burp and how intruder works so I’ll just hit the details directly.

A little Description:

The flaw resides in the authentication mechanism of the “Change Email” feature. Upon initiating an email change request, the application requires three parameters: User ID, current email, and new email. Notably, the “_csrfToken” in the request is totally useless, let’s start our process to get the required parameters.

- User ID (5 numbers)
- Victim email
- Attacker email
But fear not, dear reader, your hero will spot a chink in the armor.

Exploitation Process:

Despite the absence of an exposed endpoint revealing User IDs or Emails, an exhaustive brute-force approach from 00000 to 99999 successfully dumps all Users IDs with the Email associated with every ID.

Getting The Users Data:

Upon initiating the “Change Email” function, intercept the request to capture essential parameters, Utilizing tools such as Intruder, iterate through potential User IDs to pinpoint the victim’s account.

POST /users/change-email HTTP/1.1
Host: app.example.com
Cookie: */*
Origin: https://app.example.com
Content-Type: application/x-www-form-urlencoded
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-Dest: document
Referer: https://app.example.com/users
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Priority: u=0, i
Connection: close

_method=PUT&_csrfToken=your-token&id=00000&current_email=example@gmail.com&new_email=attacker@gmail.com&email_again=attacker@gmail.com

as you can see, all the IDs under Payload column are vaild IDs, if you click on any request you can see the associated email for this ID

TakeOVER:

Now we have all the user’s data, but how can i takeover any account?

Using the same request we used to enumerate the IDs and email’s i was able to send a confirmation number to the victim email to change his email to the attacker email, the confirmation number is 6-digits and as before there’s no limit on the confirmation request to the site so brute-force the confirmation number that validate the request was easy.

The confirmation number that website send to user when changing his email

To simplify what just happened:

1 — Intercept the request to change the email.

2 — Send it to intruder and brute-force the User-ID.

3 — Notice the users IDs and email’s leaked on Render.

4 — Use the same request to change the victim email, and the server will send a confirmation “6-Digits” to the victim email.

5 — Send the request that validate the confirmation code to intruder and brute-force the “6-Digits” number.

6 — Account Take-Over.

Until next time, keep your wits sharp, your code cleaner than a freshly scrubbed whistle, and may your adventures in psychosecurity be as thrilling as they are enlightening. Farewell, fellow adventurers, until we meet again in the ever-expanding realm of digital possibility!

This finding was while engagement with a client on my work with BugSwagger LLC.