Forging a Path to Account Takeover: Copy Password Reset Link Vulnerability worth $$$$.
2023-6-12 16:27:25 Author: infosecwriteups.com(查看原文) 阅读量:11 收藏

Manav Bankatwala

InfoSec Write-ups

Hello everyone,

First and foremost, I want to express my heartfelt gratitude to all of you. Your overwhelming response and positive engagement with my previous writeups have been nothing short of inspiring. Your support has motivated me to delve even deeper into the fascinating world of cybersecurity and share my findings with this brilliant-minded community.

For those who may have missed my previous writeups, I’ve included the link here for your convenience:

https://infosecwriteups.com/unique-rate-limit-bypass-worth-1800-6e2947c7d972

This vulnerability is all about how I was able to takeover any user account without any interaction just by using a new feature which most of the organization's don’t implement. Let me give you a good understanding of the target and it’s functionality.

Let’s say the target is target.com, it’s a video learning platform where you can upload video about any course or training and share it with public, private or even for any ecommerce purposes. The target was having lots of different functionality including team management and inviting users to team. So once we invite someone to our team. We can edit that user’s info and change password too.

One important thing to note that whenever a new user was created, a unique userid was assigned which was actually sequential and can be easily guessed. They implemented this because users share their videos and to make this procedure simple and easy to remember profile links.

So you all must be knowing that whenever there is an invite user feature and team management feature. We can even manage and edit invited user’s info and sometimes change their password too. But here an additional functionality was there which was “copy reset password link”. What this button do is it will copy the reset password link of that invited user. It’s just like using password reset functionality but here the team manager can copy the reset password link of it’s invited user.

What actually was happening at the backend? When we click on that button, a request was sent to the server asking for the reset password link of that user and server responds with the link which then gets copied into our clipboard.

You must be thinking that what’s the difference between this functionality and normal reset password functionality? The main difference was that when we use the reset password functionality, the server was only responding that “Password reset link sent in email”. But in this endpoint, the link was sent in the response by the server. I immediately thought that this might be a case where a vulnerability exist.

I noted down some things which I though might help i.e. userid’s of some users (Both invited and non invited users) and the request when we click on copy password reset link. It looked something like this

The request endpoint was : target.com/json/reply/GetResetPasswordLinkRequest?userid=<id>.

  1. At first, I thought about changing the userid parameter to someone else user id parameter i.e. not of invited user but a non invited user or some other admin’s userid.
  2. I changed the userid in request and sent the request. To which I thought it should throw an unauthorized error but instead it sent the some password reset link in response.
Response when user id was changed unauthorized

3. I was not able to believe and got so happy that it’s an account takeover just by user id. I thought to use this link asap and demonstrate the complete impact. But when I opened the link, entered the new password and clicked on submit, it showed me an error.

4. It was all about some minutes of joy and now it showed an error. So I thought that they have some implementations which prevented this.

Here comes the important part :

After that error, generally researches just move to some other approach or test some other functionality thinking that this didn’t worked. But here what I did is tried to login into victim account with the old password….and and and it actually showed me incorrect password.

I immediately entered the new password that I used in the link and the login was successful. So what actually happened? Even if the password reset link showed this error, the password was actually changed at the backend. It was just this error at the frontend.

I immediately tried to change the password of some other account on that platform as users id was publicly visible. I was actually able to change the password of the blog account from which organization was posting blog content and showed the impact this way.

The organization, immediately implemented the necessary fix and told me to wait as they are doing some other major fixes too. They rewarded me with $$$$ according to their bounty tier.

Tips and Takeaways : Sometimes even if error comes to your way, always revalidate the changes you’ve tried to made. We may miss lots of things if not validated.

Always keep the endpoints noted where any sensitive information is visible in the response.

Follow me on medium and turn the notifications on, as my next writeup is all about a really long chain of IDOR and how I was able to easily exploit it exposing all the corporate accounts information.

https://www.linkedin.com/in/manavbankatwala/

https://www.instagram.com/manav.bug/

https://twitter.com/manavbankatwala


文章来源: https://infosecwriteups.com/forging-a-path-to-account-takeover-copy-password-reset-link-vulnerability-worth-4ad1f9ae03be?source=rss----7b722bfd1b8d--bug_bounty
如有侵权请联系:admin#unsafe.sh