Unveiling an Account Takeover Vulnerability in a Leading Automobile Brand

Recently, I had the opportunity to participate in a private bug bounty program hosted by a prominent automobile manufacturer. While I’m unable to disclose specific details, I’m excited to share a scenario anonymously that highlights an important security vulnerability.

Upon accessing an internal server, I encountered a login page with two sets of credentials:

User1: Password1User2: Password2

Curious to explore potential security loopholes, I decided to initiate password reset testing. During this process, I made several key observations:

Data Transmission: The login data was transmitted in JSON format.Data Structure: The JSON payload consisted of four keys: email, username, previous password, and new password.Encryption: Interestingly, while the data was encrypted during transmission, the backend system processed unencrypted fields such as username and email.

Inspired by the unencrypted nature of certain fields, I devised a plan to exploit the system. By manipulating the username and email fields, I attempted to swap the credentials between User1 and User2. Surprisingly, when I changed the username of User1 to match that of User2, the system responded with a 200 OK status code.

Excited by this discovery, I logged out and attempted to log in as User2 using the modified credentials. To my astonishment, the system accepted the modified credentials, granting me access to User2’s account without requiring the original password.

This vulnerability highlights the importance of robust encryption practices, particularly when handling sensitive user data. In this case, the oversight in encrypting all fields left the system vulnerable to account takeover attacks.

To mitigate similar vulnerabilities, organizations should:

Implement comprehensive encryption protocols for all sensitive data, including usernames and emails.Session Management: Implement robust session management techniques, such as session expiration and secure session token handling, to prevent unauthorized access to user accounts. Invalidate sessions after a certain period of inactivity and ensure that session tokens are securely generated and transmitted.

If you like what I do , I also write researches and code-review series which can be visited here.

I am actively looking for a job , if you can help me , here’s my linkedin.

My twitter