Reset Password to Account Takeover

Description

This bug allows malicious users to take over a victim’s account just by using the email registered on the website.

Impact

Account takeover

Reproduction Steps

User

• User A (attacker, attacker@gmail.com)
• User B (victim, victim@gmail.com)

Steps

1. User A requests a password reset at

https://redacted.com/forgot-password

2. User A copies and pastes the link in the browser.
3. The link will look like below,

https://redacted.com/reset-password?token=random_hash&email=attacker@gmail.com

4. Enter the new password and confirm.
5. When I changed the email value in the link in step 3 to the email victim@gmail.com, this method didn’t work.
6. Capture the request using proxy tool and submit.
7. A POST request will be sent to the /reset_password?app=cms endpoint with several parameters as below,

{"password":"Anjir123!@#","password_confirmation":"Anjir123!@#","token":"random_hash","email":"attacker@gmail.com"}

8. Then I changed the email parameter value to the victim’s email, namely victim@gmail.com and I sent a request to the server and it gave a response of 200 OK with several parameters as below,

{"status":"success","state":200,"message":"Kata sandi telah berhasil di atur ulang.","data":[]}

9. Then I logged in to User B's account with the new email and password and I was directed to his profile dashboard.

Timeline

March 7, 2024 : Report sent
June 4, 2024 : Bounty awarded $$