Reset Password to Account Takeover
Description
This bug allows malicious users to take over a victim’s account just by using the email registered on the website.
Impact
Account takeover
Reproduction Steps
User
- User A (attacker, attacker@gmail.com)
- User B (victim, victim@gmail.com)
Steps
- User A requests a password reset at
https://redacted.com/forgot-password
2. User A copies and pastes the link in the browser.
3. The link will look like below,
https://redacted.com/reset-password?token=random_hash&email=attacker@gmail.com
4. Enter the new password and confirm.
5. When I changed the email value in the link in step 3 to the email victim@gmail.com, this method didn’t work.
6. Capture the request using proxy tool and submit.
7. A POST request will be sent to the /reset_password?app=cms endpoint with several parameters as below,
{"password":"Anjir123!@#","password_confirmation":"Anjir123!@#","token":"random_hash","email":"attacker@gmail.com"}
8. Then I changed the email parameter value to the victim’s email, namely victim@gmail.com and I sent a request to the server and it gave a response of 200 OK with several parameters as below,
{"status":"success","state":200,"message":"Kata sandi telah berhasil di atur ulang.","data":[]}
9. Then I logged in to User B's account with the new email and password and I was directed to his profile dashboard.
Timeline
March 7, 2024 : Report sent
June 4, 2024 : Bounty awarded $$