BOOK THIS SPACE FOR AD
ARTICLE ADHello Guys, I hope you are well.😊 In this write up I will explain you how I found a vulnerability that can lead to zero interaction password reset of any user.
While testing on a target website (let’s say xxx.com, which was actually a subdomain xxxx.xxx.com), I discovered a vulnerability that allows for zero interaction password reset of any user.🔍
What is the normal scenario?
In a typical password reset process, a reset link is sent to the user’s email. However, I found a “hidden” parameter called “pass_sent.” By changing “pass_sent” from false to true, the server automatically generates a new password and sends it to the specified email address.🔒
How it is a vulnerability?
Consider this scenario: my email is abc@gmail.com, and my password is Abc@123. An attacker enters my email in the password reset, changes “pass_sent” from false to true, and the server generates a new password. Now, my old password Abc@123 is invalid, and the new password automatically generated by the server is valid.⚠️
Navigate to https://xxxx.xxx.com/xx?id=xx_forgot_password.Enter the victim’s email address.Intercept the request using a proxy tool like Burp Suite.Modify the “pass_sent” parameter from false to true in the POST request body:{"emailEmpty": true,
"pass_sent": false,
"customer_email": "{victim's email}",
"action": "changePassword",
"sessionRotationTrigger": true
}
5. Forward the request to the server.
This manipulation will result in the successful change of the victim’s password without their interaction or awareness, rendering their old credentials invalid.🚫
While this vulnerability does allow an attacker to change a user’s password without their consent, it’s considered low impact because the new password generated by the server is sent to the victim’s email address. Therefore, the victim still maintains access to their account. However, the vulnerability persists because the victim’s old credentials become invalid.⚠️
After I sent my report, I didn’t hear back for two months. Then suddenly, I got a direct response about the bounty. They said they decided not to tell reporters about how they fixed the problem. They did fix the vulnerability and gave me a reward of €€.💰💰
I hope you like this.
Follow Me On Linked in (Most Active):
https://www.linkedin.com/in/manan-sanghvi-799863176/
Follow Me On Twitter (I’m not very active there, But still you can connect):
https://twitter.com/An____Anonymous
Thank You.