Account Takeover Through Password Reset Poisoning

Introduction :

Hello, I am Vishal Bharad, I am Mechanical Engineer :D and working as Penetration Tester. I’m here to share about my findings on Full Account Takeover.

About the Vulnerability :

For Discovering the bug I have tested many tricks on the website. Assume When finding the bugs i decided that find some bugs on Forget Password Page.

I tried on many websites about 6 to 8 hours. Then after so many attempts I have found a big and interesting vulnerability which leads to Full Account Takeover

Tools Used for this Vulnerability:

  1. BurpSuite
  2. Ngrok Server

Steps to Reproduce:

  1. Go to and type username to get forget password link.
  2. Capture this request in Burpsuite and add X-Forwarded-Host:

3. Then forward the request and check your email. You got an email of Password reset with token. Which looks Like (

Here token is Leak to the So Now to confirm this token is True or not. Put instead of and open in browser.

4. So the password reset link is valid and i can able to reset the password.

After Finding this bug I have decided to Exploit it.


After this I decided to perform How hacker can able to exploit this bug.

Followings are the Steps Regarding Exploitation.

  1. I created my server via ngrok which is Attackers server.
  2. Then Attacker go to the page which is and type Victim username and capture the request in Burp suite.
  3. In captured request Attacker add “X-Forwarded-Host:” server address.

4. So after that Victim can get the Password reset URL and the domain of that reset link is ngrok server address or domain. (For the exploitation It need victim interaction or one time click only)

5. Whenever victim is click on that link. Attacker can get the full token in his server

6. When attacker can get the password reset token he will only change the ngrok domain name to Main Domain to Takeover the Account.

Thank You

Disclosure :

  1. I reported to them 1st August
  2. They saw the report, steps to reproduce, and PoC(Screenshots, Videos).
  3. And, they rewarded me with 3 digit $(Between $700-$1000).


Looking forward to share more blogs

Best Regards

Vishal Bharad

Linkedin Profile :



Penetration Tester, Bug Bounty Hunter, Security Researcher

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store