InfoSec Write-ups – Medium–
Hello Hunters, this is a quick write up on one of my recent findings on a bug bounty program. Before jumping into the vulnerability, let us get familiarized with few terms.
What is PII Leakage?
Personally identifiable information (PII) is any data that could potentially identify a specific individual, such as username,userID or any other personal information. PII Leakage is the exposure of such data.
What is Account Takeover Vulnerability?
It is a type of vulnerability that allows hackers to take full control of the user’s account by exploiting a flaw in the application’s logic.
Since the program does not allow disclosure, let’s consider the program as redacted.com. It started when i began to test the reset password functionality of the target. Just like any other website, the forgot password on https://ift.tt/3cy7XYa also sent a email to the registered mail address for the password change. The reset password link was as below:
The link did not expire even after changing the password.Weird Right!!. Requesting for reset password once again gave the following link:
The thing to observe is that the last part of the URL is same for both the link.
After analyzing the above link:
1597486704 → Unix Time Stamp
The last part of the url was base64, decoding which gave the following:
Here, 588588 is my User ID and firstname.lastname@example.org is my email address. But wait, what was the gibberish look-alike thing [asdfghjkl9156837463000]?
Nevermind, after playing with the link for some time, I found that only the last part of the URL I,e the userID was being validated by the server for the password reset.
So now, If i knew the userID any user, I could change his password with ease. Win? Nah!!
Now all I had to do was enumerate to the email address for each user ID via brute force. [PS: UserID 1 belonged to the admin ;)]
Enumerate the userID and EmailAddress from the endpoint → Reset the password → Login with the new password → Full Account Takeover
PS: The website stored personal information such as bank account number, PAN,Adhar card and other sensitive data which could be accessed after signing to the victim’s account.
Thank you for the read !!
In collab with Spyder
Follow me on Twitter
PII Leakage via IDOR + Weak PasswordReset = Full Account Takeover was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.