Breaking Reset Password Logic To Get Account Takeover Without User Interaction

Password Reset Functionality

So in this website the password reset functionality flow had 3 steps.

Step-I Of Forget Password Flow
Step-II Of Forget Password Flow
Step-III Of Forget Password Flow

Flaw In The Logic Which Lead to Account Takeover

So as usual for this bug, you would need two accounts for testing purpose so lets name it testattacker@gmail.com (Attacker) and testvictim@gmail.com (Victim)

  1. So in first step ask for confirmation code for reset password for testattacker@gmail.com
  2. Now you will get the confirmation code in your email, enter the correct code and validate it (At this point capture this request in Burp Suite)
  3. Now in Burp Suite do Right Click > Do Intercept > Response to this request
  4. Now Forward and you will get a response , copy it and save it somewhere else for future use(This is the response when confirmation code is correct).
  5. Now you will get the Step-III page, but here we don’t have to change the password of attacker😂, so go back again to Step-I page, and now this time ask a confirmation code for password reset of testvictim@gmail.com
  6. This time victim will get confirmation code in his email, but since we don’t have access to his email account we will enter any random number, eg: 123456 (At this point capture this request in Burp Suite)
  7. Now in Burp Suite do Right Click > Do Intercept > Response to this request
  8. Now Forward and you will get a response(This is the response when confirmation code is incorrect)
  9. Now replace the previous copied correct response with this response and click on forward.
  10. You will see we have validated Step-II with wrong code and correct response and now we are in Step-III.
  11. Now simple write a new password save it and then try to login testvictim@gmail.com with new password.
  12. You will be able to login hence Account Takeover Successful😈.

Takeaway:

Always first understand the functionality and try to find such loop holes and logical flaws in it, especially in forget password functionalities, as it will lead to account takeover. And remember, whenever you are trying to find or report any account takeover functionality, try to reduce as much user interaction possible, this will increase the severity of the bug and will prove very rewarding.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Prajit Sindhkar

Prajit Sindhkar

1.5K Followers

I am a India Based Security Researcher, Bugcrowd Top 500 Hacker and Bug Bounty Leader of the BUGXS Community