PII Leakage via IDOR + Weak PasswordReset = Full Account Takeover

InfoSec Write-ups – Medium–

Hello Hunters, this is a quick write up on one of my recent findings on a bug bounty program. Before jumping into the vulnerability, let us get familiarized with few terms.

What is PII Leakage?

Personally identifiable information (PII) is any data that could potentially identify a specific individual, such as username,userID or any other personal information. PII Leakage is the exposure of such data.

What is Account Takeover Vulnerability?

It is a type of vulnerability that allows hackers to take full control of the user’s account by exploiting a flaw in the application’s logic.


Since the program does not allow disclosure, let’s consider the program as redacted.com. It started when i began to test the reset password functionality of the target. Just like any other website, the forgot password on https://ift.tt/3cy7XYa also sent a email to the registered mail address for the password change. The reset password link was as below:


The link did not expire even after changing the password.Weird Right!!. Requesting for reset password once again gave the following link:


The thing to observe is that the last part of the URL is same for both the link.

After analyzing the above link:

1597486704 → Unix Time Stamp

The last part of the url was base64, decoding which gave the following:


Here, 588588 is my User ID and killer@gmail.com is my email address. But wait, what was the gibberish look-alike thing [asdfghjkl9156837463000]?

Nevermind, after playing with the link for some time, I found that only the last part of the URL I,e the userID was being validated by the server for the password reset.


So now, If i knew the userID any user, I could change his password with ease. Win? Nah!!

Now the goal was to find the spot where the UserID of the users were revealed or leaked. After a couple of days of recon I was able to find an IDOR on an endpoint in an javascript file .The endpoint only required the userID parameter, which leaked many sensitive pieces of information such as username, email address and even residence address that belonged to that userID.

IDOR Link:


Now all I had to do was enumerate to the email address for each user ID via brute force. [PS: UserID 1 belonged to the admin ;)]


Enumerate the userID and EmailAddress from the endpoint → Reset the password → Login with the new password → Full Account Takeover


PS: The website stored personal information such as bank account number, PAN,Adhar card and other sensitive data which could be accessed after signing to the victim’s account.

Thank you for the read !!

In collab with Spyder

Follow me on Twitter




PII Leakage via IDOR + Weak PasswordReset = Full Account Takeover was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.

View original article on InfoSec Write-ups – Medium

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s