Full Account Takeover via Changing Email And Password of any User through API Parameters
I’m going to talk about a common and strange password reset system that I have seen many times in Bug Hunting and in many VAPT projects. and in many cases this system opens the door to attacker to hack user’s accounts.
The story started when I was testing Change password function on this website but I found something interesting. After I changed my password successfully via Change Password Functionality, I noticed the following request:
After checking this request :
Then I asked other users for their email which use this web and successfully changed their passwords and got access to their accounts
Steps : 1.Attacker have to login with their account and Go to the Change password function
2. Start the Burp Suite and Intercept the request
3.After intercepting the request sent it to repeater and modify parameters Email and Password
(randomly used different users emails and changed their passwords : Takeovered :))
Timeline:
13–6–2018 : Vulnerability reported
15–6–2018 : Vulnerability Confirmed
23–6–2018 : Vulnerability Fixed
Thanks for reading :)
