A tale of my first ATO (Account Takeover)
Warm greetings to all the amazing hackers out there. I am Shubham Ghosh, a Penetration Tester, and a noob in the world of the bug bounty from Jharkhand, India. I am very excited to share one of my findings which stands to be a critical one and a P1 vulnerability.
Let’s assume the target to be target.com as I am not allowed to disclose the target name. This was a normal web application with features like sign-up, login, forget-password, change-email, etc. There was a forget-password endpoint that had phone-no in the request. Meaning if you provide the phone number you would get a 6 digit OTP in your phone which would be required further to reset the password. There I tried the traditional brute forcing but there was proper rate-limiting implementation. I was discouraged as I couldn’t find anything vulnerable in the application till now.
I thought of reading some writeups and accidentally came across a gitbook of HowToHunt by KathanPatel. I highly recommend everyone to go through the repository once, it will surely help you all in your hunting. All credits to Kathan Patel and to everyone who contributed to making this repo an awesome one.
Back to the forget-password endpoint. I created two accounts on the app. I went to the forget-password page and put the mobile number of the attacker account and received the OTP on my mobile. I was redirected to a page where I was asked to enter the OTP. Fired my burp suite, entered the OTP, and intercepted the request. The request looked like the below screenshot.
In the phone number field, I changed the phone number to the victim's account phone number and forwarded the request. Going back to the browser I was amazed to see the set-password page where I was asked to set the new password. The issue was there in the validation at the server-side where it was not validating the OTP with the phone number for which it was generated for. This means I can reset the password of any user’s account by using the OTP which I had received on my mobile number,
Impact: Exploiting this issue an attacker can reset any user’s password just by knowing the phone number of the user. And a full account takeover is possible with zero user interaction.
Sorry to say but the developer might be on high-quality weed. Just kidding, mistakes happen, and that’s why we exist to point them out and get them fixed before any bad happens. I quickly created a video POC wrote a report and submitted it to the organization. And within a week I was rewarded with $$ in my Paypal account.
If you are reading till here, hope I could add some value to your day.
Until next time. Peace.
