Full Account Takeover via Changing Email And Password of any User through API Parameters

chaliye shuru Karte Hai

I’m going to talk about a common and strange password reset system that I have seen many times in Bug Hunting and in many VAPT projects. and in many cases this system opens the door to attacker to hack user’s accounts.

The story started when I was testing Change password function on this website but I found something interesting. After I changed my password successfully via Change Password Functionality, I noticed the following request:

After checking this request :

Shocked

Then I asked other users for their email which use this web and successfully changed their passwords and got access to their accounts

Steps : 1.Attacker have to login with their account and Go to the Change password function

2. Start the Burp Suite and Intercept the request

3.After intercepting the request sent it to repeater and modify parameters Email and Password

(randomly used different users emails and changed their passwords : Takeovered :))

proof of concept

Timeline:

13–6–2018 : Vulnerability reported
15–6–2018 : Vulnerability Confirmed
23–6–2018 : Vulnerability Fixed

Thanks for reading :)

Listed in Top 100 most respected hackers in the world by Microsoft at the BlackHat conference in America 2018