How Token Misconfiguration can lead to takeover account

 Hello Everyone,

it's 03.21AM and Tomorrow is my Final exam and i will pass ๐Ÿ˜› . I was unable to focus on my Studies so i decided to share one of my finding on h1. This is my second writeup.  


My recon steps :-

1. I visited redacted.com


2. I created account X and verified my email.

Verification email looks like redacted.com/activate-account/Token1111


3. I asked reset link for A.

Reset link looks like redacted.com/password-reset/Token1111


4. I changed my email from A to B.


5. Now X is asking to confirm B.


6.  I modified confirmation email of B.

BEFORE  -  redacted.com/activate-account/Token2222

AFTER     -  redacted.com/password-reset/Token2222


7. Wow , i was able to change the password of account X.


I reported it to program where h1 closed it as informative and internal team gave below statement 

"As you state, this requires the victim to add the attacker's email to their account. There's no reason they would intentionally do that. We are not interested in social engineering reports"


8. I felt it, I moved back to redacted.com and tried to find something. 


9. It took me 5 minutes and i found :-

On my step 4 :-

Before :- I changed my email from A to B

Now  :-  I changed my email from A to B to C to X to ...n


10.  B is no longer belongs to account X but still able to takeover account.


11. Now let's make a scenario :-

11.1. victim login to redacted.com

11.2. victim wanted to change email from victim123@x.com to victim122@x.com but accidently mistype it to victim112@x.com.

11.3 after submission within few seconds victim finds that confirmation email didn't arrived and finds he/she accidently mistype email.

11.4. victim immidiately changed it's email back to victim122@x.com.

11.5. victim got it's email confirmation email , victim confirmed it too.

11.6. on the other hand, victim112@x.com is an attacker and he already got email confirmation from 11.2 

11.7. attacker uses the email confirmation but didn't worked (as expected)

11.8. attacker changed url from  /activate-account/ to /password-reset/  and now at reset password page.

11.9. attacker changed the password and takeover account.


12.  Posted above information,  h1 reopened my report.



13. Awarded bounty after 2 days of triaged.  



Thanks For Reading this. Have a Nice day !

       

buymeacoffee

Comments

Popular posts from this blog

Recon in 2 minutes and got $250 easy