Hi, all This is Kullai (Security Researcher). Today I will share one of my interesting findings It’s My First P1 Let’s start ….
While I am hunting on one target named example.com (all will name redacted.com). There is an invite Functionality on their website. By using that functionality, I can take over the victim’s account. Interesting Right Let’s dive….
“Any mistakes in my English ignore it.”
How did I find this?
By using this Invite functionality, I am able to invite the users.
Suppose User-A is an attacker and User-B is an attacker friend.
User-A invited User-B and User-B accepted and Now User-A and User-B are in the same Group.
Now User-A will tell User-B to reset the password. (User-A is admin, User-A has privileges to send the reset password mail to User-B).
Now User-B will get the Reset password link in his mail.
He just opens the link and he will not change the password.
You can see I updated the email of user-B
Now the whole drama begins User-A will change the Email of User-B to the victim’s email.
user-B email changed to victim’s email.
After changing to the victim’s email, User-B will change the password.
Here The User-B password should be changed but in my case Victim password is updating.
I am like wtf is happening!!!! Without victims’ interaction, I am able to change the password and able to login with new credentials which were changed by User-B.
I literally named this one Myself as Account Takeover via confusion (I have no idea another takes this name. But yes, I wanted to put this name to this one 🙂)
Impact:
Without Interaction, I can takeover anyone’s account Just by knowing their Email ID.
Time Line:
Reported through mail: 20 Feb 2023, 10:21 PM
Accepted Bug and Invited to their Private program: 21 Feb, 18:28
Accepted & invited to Bugcrowd.
Rewarded & resolved on 24 Feb 2023
Follow me for more content:
LinkedIn | Twitter | Instagram
Thanks for reading!!
Your Kullai 🙂