Account Compromise Using Password Reset Link
While researching and working on bug bounties I have found that by using Password Link we can Takeover all the users account of a website if that site is vulnerable to this type of attack.
Using this vulnerability the attacker can modify the email to any victims email to change their password and in this way he can also reset all passwords of all the accounts and can successfully compromise the victims account as after opening the password reset link sent to the user it show the email id input field with email@example.com email id which was editable input field and also 2 more blank fields to change the new password and the password reset token can be used for other users.
Please Note: There is no need to decode the password reset token values etc nor there was any client side validation.
Steps to Execute the Attack:
1. Open https://site.com/members/setup-password/14aaef7bb41ed6e4b46d09298ec1bfc6a483623d/
its will display email filed with firstname.lastname@example.org email id and the 2 blank field to change the password.
2. now the attacker will change the mail id to email@example.com and will submit his desired password and then he will submit this password reset form.
3. now you will see that the other users victim@gmail password will be changed and the attacker will be logged into the victims account i.e firstname.lastname@example.org
So in this way using the above mentioned steps the attacker can easily compromise any users account of that website.
Password Reset Vulnerability POC Screenshot:
Attackers Email ID: email@example.com and his password reset link:
So in this way the attacker can Takeover on any users account.
The token generated for the activation link isn’t re-checked and no validation is done for associated emailID field, allowing an attacker to change the value to a known email address and reset their password. This provides a trivial route for an attacker to gain access to accounts or cause a denial of service to users on the Application.
Input from the user should be treated as untrusted and re-validated when sent to the server. The recommended approach is to generate a onetime token which is linked to the user account, this can be passed with the onetime random token and shall expire once the password has been reset also the email parameter shall not be editable. Additionally, ensure if the identifier is not passed that this won’t default to updating all accounts.
So in this way one can Takeover on the victims accounts using the Password Reset Link also this way can be used to find same type of vulnerabilities on different websites.
Suggestions and Feedbacks are welcome.