How I Discovered Account Takeover (ATO) via IDOR lead to 500$ bounty
作者通过随机选择一个程序并使用waybackurls获取历史URL进行手动检查,在注册过程中发现POST请求无认证头或cookies。通过创建第二个账户并修改ID参数,发现服务器接受其他邮件和号码而无需验证。最终通过忘记密码页面和绕过手机验证成功接管账户,并获得 bounty。 2025-9-7 13:32:2 Author: infosecwriteups.com(查看原文) 阅读量:3 收藏

JEETPAL

Hello Everyone,

Today, I want to share my experience of discovering an account takeover (ATO) vulnerability through IDOR. Let’s dive right in!

So, hunting starts with a random program selection let call it example.xyz

I started hunting with enumerating subdomain and checking if there is any possible subdomain takeover but there is nothing found.

I use my waybackurls to grab previous url’s from the example.xyzand started hunting manually. I visited the signup page and started the registration process while the burp suite is on backend I register myself with Just confirming my mail and phone number While I notice a POST is sent to server with my mail and the following information with zero Authentication Header or cookies just like I am not logged in

{
"id": "67274f46-b5d8-4826-bf29-d1584a195cfa",
"email": "[email protected]",
"phase": "phone_number",
"country_code": "91",
"phone_number": "123456789",
"verification_id": "46ab8b35-0722-4652-a76c-e3c3b2642df0"
}

Then I created my second account and took the ID from that particular account and changed the field of the ID parameter in request to second account. After verifying a valid mail and number, I got surprised the server accept other number and mail without verification. the server validates the information without checking it. so, I just change the Email and phone of second user to my own and here the tricks come. I just go to forget password page and enter mail verify the mail got you to set new password. I just created that but after that there is a phone verification which also bypass since the server is not validating the phone number while change from request I go OTP too on my phone.

Press enter or click to view image in full size

So, I just reported the Issue after 5 Days I got the reply from the team a bounty for Low

Press enter or click to view image in full size

I asked the reason for Low for a zero click they said

Press enter or click to view image in full size

Thank you for reading if you enjoy it clap 50 times

New articles Dropping soon

Connect with me
Linkedin: https://www.linkedin.com/in/jeet-pal-22601a290/
Instagram: https://www.instagram.com/jeetpal.2007/
X/Twitter: https://x.com/Mr_mars_hacker

And here’s something special for you! 🚨

Join a community of 2,800+ security researchers on our Discord server, where we discuss Web3 vulnerabilities, audits, and much more! 🚀
👉 Join the server here!: https://discord.gg/Y467qAFM4X

Note: I just republish it with more information to share


文章来源: https://infosecwriteups.com/how-i-discovered-account-takeover-ato-via-idor-lead-to-500-bounty-537bc7ff10b8?source=rss----7b722bfd1b8d--bug_bounty
如有侵权请联系:admin#unsafe.sh