Full account takeover worth $1000 Think out of the box
Hi everyone how are you doing today? I hope you are doing great and scoring lots of bounties. Today's story is about a bug I found on public disclosure program which allows me to take over any user's account. It was a P4 issue but I didn’t report and chain it to P1. Without further ado let’s start
I don’t have permission to disclosure target information so let’s call it example.com. It was a normal website. There is not so much functionality, You can create an account, log in, change password, etc.
As always I create 2 accounts. I first signup and login with the victim account and I checked every request & response in the burp suite. I found that website is using some kind of CSRF token to prevent CSRF attacks. In the view-page source, I found a website assigning userID to every user. It is 6 digit ID so we can guess ID easily.
Now I go to account settings and I change some of my information (still I am in the victim’s account) and I capture the request.
So now I signup and login with the attacker account. and I try to change the information of the victim on change username functionality (As you can see in the above screenshot) and BOOM nothing happened
I checked on the change email page also but It looks like without the victim CSRF token you can’t change any information. I try to remove the CSRF token, change POST to GET, etc. but nothing happened.
Now I started looking into other website functionality. It’s time to check how the website implemented change password functionality. For changing the password you need to enter your current password and then the new password. I found that If I remove the current password parameter still I can change the user's password
Without knowing the old password I can change my password. It’s a P4 issue sometimes P5. Don’t know. I didn’t report this. And I stopped hacking for few hours.
Whenever I don’t hack I talk to other hackers. I call my friend. He found a CSRF bug on his private program and he is able to turn on / off any other user's notifications. I asked him why not tried to change other user’s email or name etc. He said the website validating CSRF tokens on the change info page but not on turn on/off the notification. After talking to him, I start my laptop I now am checking if the change password page CSRF token is validating.
I found that If we remove the csrf_token token and instead of csrf token if we use null like this
I can change my password. But still, this is P4 because If I want to change another user's password I must need to know their email (to login).
If you can see the screenshot carefully you will found there is no userID. I tried to check for /api/user/userID/change_password, etc. But nothing happens and I was like
It’s time to give it a last try. Now I am thinking if can use userID in JSON body. maybe will find something better. but I don’t know the parameter name so It’s time to use Param Miner
This extension identifies hidden, unlinked parameters. It's particularly useful for finding web cache poisoning…
If you don’t know what is Param Miner is, It is a free burp suite extension by James ‘albinowax’ Kettle. This extension identifies hidden, unlinked parameters.
We want to find hidden param in the JSON body so will select Guess JSON parameter.
A few minutes later I found uid parameter. Now you know what I am thinking to do. Yes, I use uid parameter in my change password JSON body and now I can change all user's passwords without the user's interaction.
You may ask still you don’t know other user's email so you can change the password but you can’t log in to their account because you don’t know their email.
Yes, you are right but I reported and I mention in my report: I only tested my account but If you want me to show impact, I can change all the user’s passwords and can log in to firstname.lastname@example.org.
After reporting, the team reply to me and they fix the issue and reward me with $1000
I hope you enjoy reading. If you have any question you can dm me on Twitter https://twitter.com/mokhansec