Account Takeover Through Password Reset Poisoning
Hello, I am Vishal Bharad, I am Mechanical Engineer :D and working as Penetration Tester. I’m here to share about my findings on Full Account Takeover.
About the Vulnerability :
For Discovering the bug I have tested many tricks on the website. Assume redacted.com. When finding the bugs i decided that find some bugs on Forget Password Page.
I tried on many websites about 6 to 8 hours. Then after so many attempts I have found a big and interesting vulnerability which leads to Full Account Takeover
Tools Used for this Vulnerability:
- Ngrok Server
Steps to Reproduce:
- Go to https://redacted.com/users/forgot_password and type username to get forget password link.
- Capture this request in Burpsuite and add X-Forwarded-Host: bing.com
3. Then forward the request and check your email. You got an email of Password reset with token. Which looks Like (https://bing.com/users/reset_password/tqo4Xciu806oiR1FjX8RtIUc1DTcm1B5Kqb53j1fLEkzMW2GPgCpuEODDStpRaES)
4. So the password reset link is valid and i can able to reset the password.
After Finding this bug I have decided to Exploit it.
After this I decided to perform How hacker can able to exploit this bug.
Followings are the Steps Regarding Exploitation.
- I created my server via ngrok which is Attackers server.
- Then Attacker go to the page which is https://redacted.com/users/forgot_password and type Victim username and capture the request in Burp suite.
- In captured request Attacker add “X-Forwarded-Host: ngrok.io” ngrok.io=ngrok server address.
4. So after that Victim can get the Password reset URL and the domain of that reset link is ngrok server address or domain. (For the exploitation It need victim interaction or one time click only)
5. Whenever victim is click on that link. Attacker can get the full token in his server
6. When attacker can get the password reset token he will only change the ngrok domain name to Main Domain to Takeover the Account.
- I reported to them 1st August
- They saw the report, steps to reproduce, and PoC(Screenshots, Videos).
- And, they rewarded me with 3 digit $(Between $700-$1000).
Looking forward to share more blogs
Linkedin Profile : https://www.linkedin.com/in/vishal-bharad-b476b388/