Breaking Reset Password Logic To Get Account Takeover Without User Interaction

Password Reset Functionality

Step-I Of Forget Password Flow
Step-II Of Forget Password Flow
Step-III Of Forget Password Flow

Flaw In The Logic Which Lead to Account Takeover

  1. So in first step ask for confirmation code for reset password for testattacker@gmail.com
  2. Now you will get the confirmation code in your email, enter the correct code and validate it (At this point capture this request in Burp Suite)
  3. Now in Burp Suite do Right Click > Do Intercept > Response to this request
  4. Now Forward and you will get a response , copy it and save it somewhere else for future use(This is the response when confirmation code is correct).
  5. Now you will get the Step-III page, but here we don’t have to change the password of attacker😂, so go back again to Step-I page, and now this time ask a confirmation code for password reset of testvictim@gmail.com
  6. This time victim will get confirmation code in his email, but since we don’t have access to his email account we will enter any random number, eg: 123456 (At this point capture this request in Burp Suite)
  7. Now in Burp Suite do Right Click > Do Intercept > Response to this request
  8. Now Forward and you will get a response(This is the response when confirmation code is incorrect)
  9. Now replace the previous copied correct response with this response and click on forward.
  10. You will see we have validated Step-II with wrong code and correct response and now we are in Step-III.
  11. Now simple write a new password save it and then try to login testvictim@gmail.com with new password.
  12. You will be able to login hence Account Takeover Successful😈.

Takeaway:

--

--

--

I am a India Based Security Researcher, Bugcrowd Top 500 Hacker and Bug Bounty Leader of the BUGXS Community

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

4Noobies — Local File Inclusion (LFI)

{UPDATE} Flow Fountain Puzzle Hack Free Resources Generator

Running a Polygon (MATIC) Node with NOWNodes

Announcing Haystack’s LoRaWAN Replacement Program

Slow Mist: Analysis of Paid Network’s Hacked Event

DLL HIJACKING USING “INVOKE-PRINTDEMON” POWERSHELL MODULE

Win Tonic

3 key security considerations when experimenting with the Internet of Things

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Prajit Sindhkar

Prajit Sindhkar

I am a India Based Security Researcher, Bugcrowd Top 500 Hacker and Bug Bounty Leader of the BUGXS Community

More from Medium

A simple entry point can lead to Server Compromise

Directory Listing Vulnerability - Cyber Sapiens Internship Task-16

Broken Link Hijacking - Mr. User-Agent

The Tale of a Click leading to RCE