How I did Full Account Takeover (FATO) using forgot password link?

Overview:
Account takeover occurs when an adversary can gain access to an account of somebody else. Then they can do all sorts of thing that legitimate user of that account can do.
There are several techniques to do the ATO, but in this article I’ll be sharing a technique that I used on a RDP program.
So after spending several hours doing recon and testing other parameters on the target website, i decided to test the forgot password link.

Scenario:
When I sent the forgot password link of my account, I got url like this:
https://target.com/ui/cp/requestTime?1625893867216/requestToken/118962063/userId/asasjds

Password Reset URL

So if we see the reset url, it has three parameters, first is requestTime, second is requestToken and last is userId. As soon as I saw these parameters, like any security researcher, I thought the same you are thinking about…what if I change the userId parameter to another userId and see if the requestToken of my account is valid for other userIds.

But then the problem was how do I get the userId of another account. Firstly, for testing purpose I created another account and used that account’s userId and guess what!!! same requestToken was being used to validate all reset password link (for every userId).

Okay so till now, I can reset any account if I have the userId. So I thought why not try to Takeover admin account …😵
So i just needed the email of admin, as once we submit the forgot request, it was showing the user id of that account in the response. So after digging for a while I got the admin email and sent a reset password request just to get the userId of the account.

User Id exposed in reset password response

Now that I had the userId of admin account, I sent a password reset link to my account and changed the userId to admin’s userId. Now I have full access of the admin account. NO BETTER FEELING THAN THIS

QUICK TAKEAWAY:

  • When testing for A07:2021, always look at other functionalities too, like how are they generating the reset link, CSRF Token, etc.
  • Always test every parameter, even if it seems low hanging and you might think that this must be reported earlier by another researcher. But you do not know, you might be lucky and exploit such Low Hangings and make easy bounty:)
    Happy Hacking ✌️

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store