Account Take Over | P1 — Critical
It started off like any other day until I got an unexpected email — an invite to a private bug bounty program. Curious, I jumped in. The target? A website we’ll call redacted.com.
I began testing the usual stuff — login pages, account settings, and then the “Forgot Password” feature. At first, everything seemed normal: enter your email, get a reset link. But as I dug deeper, I found something strange. There was a flaw that could let an attacker take over someone else’s account using the password reset feature.
It wasn’t obvious — pretty well-hidden, actually — but if exploited, it could allow someone to completely lock out a victim and take control of their account. Serious stuff.
Vulnerability Explanation:
Let’s break it down step by step:
- Setup: I have two accounts: one for the attacker (
attacker@email.com) and one for the victim (victim@email.com). - Initial Request: The attacker initiates a "Forgot Password" request using their own email (
attacker@email.com). - Password Reset Link: A password reset link is sent to the attacker's email. The attacker clicks the link, leading to the page where they can set a new password.
- Intercepting the Request: Using Burp Suite, the attacker fills in the new password for the account and intercepts the request before submitting it.
- Modifying the Request: In the intercepted request, the attacker changes the email parameter from their own (
attacker@email.com) to the victim’s email (victim@email.com).
Account Takeover: Upon sending the modified request, the password is successfully updated for the victim’s account (victim@email.com), effectively allowing the attacker to take control of it.
Conclusion
This Account Takeover vulnerability revealed a critical flaw in the password reset process, where an attacker could intercept and modify the reset request to change another user’s password. The issue was caused by insufficient server-side validation of the email parameter. Addressing this requires stricter checks to ensure only the rightful user can reset their password, highlighting the importance of securing key workflows like password recovery.
Would you like to see more insightful articles like this? Your support enables me to create valuable content. Consider buying me a coffee to fuel the creation of more free prompts. Your contribution is greatly appreciated! ❤️❤️❤️
