Breaking Reset Password Logic To Get Account Takeover Without User Interaction

Hello guys👋👋 ,Prajit Here from the BUG XS Team. So, in this write-up I will be sharing the method that how I broke reset password logic to get account takeover without any interaction needed.

So before we start into what steps I performed, I need to first explain what was the basic functionality on this website.

Password Reset Functionality

So in this website the password reset functionality flow had 3 steps.

Step-1: Entering email on which you will get verification code

Step-I Of Forget Password Flow

Step-2 : Confirming the verification code that you got in email

Step-II Of Forget Password Flow

Step-3 : Changing the password page if the confirmation code is correct.

Step-III Of Forget Password Flow

So I hope with this, how the basic functionality is working is clear, now let’s discuss how I got account takeover vulnerability by finding a flaw in logic of this functionality.

Flaw In The Logic Which Lead to Account Takeover

So as usual for this bug, you would need two accounts for testing purpose so lets name it testattacker@gmail.com (Attacker) and testvictim@gmail.com (Victim)

1. So in first step ask for confirmation code for reset password for testattacker@gmail.com
2. Now you will get the confirmation code in your email, enter the correct code and validate it (At this point capture this request in Burp Suite)
3. Now in Burp Suite do Right Click > Do Intercept > Response to this request
4. Now Forward and you will get a response , copy it and save it somewhere else for future use(This is the response when confirmation code is correct).
5. Now you will get the Step-III page, but here we don’t have to change the password of attacker😂, so go back again to Step-I page, and now this time ask a confirmation code for password reset of testvictim@gmail.com
6. This time victim will get confirmation code in his email, but since we don’t have access to his email account we will enter any random number, eg: 123456 (At this point capture this request in Burp Suite)
7. Now in Burp Suite do Right Click > Do Intercept > Response to this request
8. Now Forward and you will get a response(This is the response when confirmation code is incorrect)
9. Now replace the previous copied correct response with this response and click on forward.
10. You will see we have validated Step-II with wrong code and correct response and now we are in Step-III.
11. Now simple write a new password save it and then try to login testvictim@gmail.com with new password.
12. You will be able to login hence Account Takeover Successful😈.

Takeaway:

Always first understand the functionality and try to find such loop holes and logical flaws in it, especially in forget password functionalities, as it will lead to account takeover. And remember, whenever you are trying to find or report any account takeover functionality, try to reduce as much user interaction possible, this will increase the severity of the bug and will prove very rewarding.

So this is all about this write-up, hope you liked it, do let me know if you have any doubts✌️.

Thanks For Reading😊

Profile Links:

Twitter: https://twitter.com/SAPT01

LinkedIn: https://www.linkedin.com/in/prajit-sindhkar-3563b71a6/

Instagram: https://instagram.com/prajit_01?utm_medium=copy_link

BUG XS Official Website: https://www.bugxs.co/