Admin account takeover via weird Password Reset Functionality

Background:

Let’s assume that our vulnerable subdomain is sub.redacted.com and it deals with an API subdomain called api.redacted.com , and the forget password function on our site works like this :

  • Go to /forgetPass and type the email
  • If the email exists, the site sends a reset email, if it doesn’t it gives you an error.
  • The backend sends a third-party link with a unique token to redirect you to https://sub.redacted.com/verify/<UNIQUE-HASH> to type a new password

Analysis:

I started looking into /forgetPass and asked for a password reset link, and I started looking around the request

  • The verification of the token was in a separate request.
  • The request to change the password doesn’t require any token or something to prove that you’re the account owner
  • The response when I changed the email with the victim email was suspicious, I didn’t expect 400 bad request ever!

Exploitation:

  • Firstly, we’ll send a password reset link to the attacker and victim's email
  • We’ll ignore all the verification of the token because it’s useless as it’s not used to validate the identity. We just need the site to know that the victim will reset his password and we’ll take charge of the other steps

How about taking over the Admin account?

When I have a target to test I collect as much I can the employee's emails from Github and LinkedIn and keep it for default credentials and some stuff like that, So I think it’s time to use it now.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Mahmoud Youssef

Mahmoud Youssef

Cyber Security Researcher | Bug Hunter