Published On: 24 Aug 2024
Account Takeover via Password Reset
IDOR
General | Web
---
HIGH VALIDDescription
When I perform a password reset, a POST request is sent to the /reset_password?app=cms endpoint with some parameters in the body like {"password":"Anjir123!@#","password_confirmation":"Anjir123!@#","token":"51e7c13c149271daf741849f02063309","email":"[email protected]"} When I change the value of the "email" parameter to another registered user's email, I successfully changed the password on his account. Because the server doesn't check whether the victim actually did it or not.
Impact
This bug allows an attacker to change another user's account password if he knows the email the victim registered with.
Reproduction Steps
Step
1
Go to target.com
Step
2
Create 2 accounts with emails say [email protected] and [email protected]
Step
3
From the attacker account ask for a password reset link > copy the link sent to your email and paste it in the search bar > the link will look like https://target.com/reset-password?token=51e7c13c149271daf741849f02063309&[email protected] > when I try to change the email parameter value to [email protected] email and update the password, it doesn't work.
Step
4
Click "Submit" by intercepting the request using a proxy tool.
Step
5
A POST request will be sent to the /reset_password?app=cms endpoint with some parameters in the body like {"password":"Anjir123!@#","password_confirmation":"Anjir123!@#","token":"51e7c13c149271daf741849f02063309","email":"[email protected]"} > change the value of "email" parameter to [email protected] and send the request to the server > it will give a 200 OK response with some parameters in the body like {"status":"success","state":200,"message":"Kata sandi telah berhasil di atur ulang.","data":[]}
Step
6
Log in with [email protected] with the new password and I was immediately redirected to the victim's account profile.