Account Takeover [Using Forgot Password Functionality]

Account Takeover Fraud

Hi Folks!

I was testing one of the private program in which I was able to takeover user’s accounts for different job roles. Basically, There were three types of job roles supported by the system i.e. Super Admin, Manager, and Engineer.

Let’s hide the original domain as redacted.com to keep confidentiality on the top of everything. For POC, I have used two accounts given for testing as it was grey box testing approach.

1. mosin.shekh@redacted.com [Manager]
2. demotestmanager@redacted.com [Super Admin]

Steps to account takeover using forgot password functionality:

1. Click on the Forgot Password Functionality, Below given page is accessible which allows user to enter email to get password reset link.

Forgot Password Page

2. Enter Valid/Your Email and Password reset link will sent to your email id. Copy URL. e.g. mosin.shekh@redacted.com [Manager Account]

Password Reset Link Received Over Email

3. Paste the copied URL in Web Browser. It will ask to enter new pass and confirm password as shown below.

Set New Credentials

4. Enter new credentials (which is 123 in this case) and capture the traffic in Burp Suite proxy tool.

Capture the Request in Proxy Tool to Alter Request Parameter

5. Change your email (in this case mosin.shekh@redacted.com) to some other email and password of that particular user will change successfully. Here mosin.shekh@redacted.com user has changed the password of demotestmanager@redacted.com successfully and confirm it by logging in.

Password of Super Admin Updated Successfully.

6. Try Login into Super Admin Account with Newly set Password which is 123.

Login As Super Admin With New Credentials Which Has Set in earlier request

7. Capture the request in proxy tool to confirm it. Notice new access token for super admin generated and super admin logged in successfully.

Login Successful.

Login Successful.

Impact: Attacker will have full access to any user account (Super Admin, Manager, and Engineer) just by knowing user’s email. Attacker can have access to user’s email using Username Enumeration vulnerability which is reported in this document itself.

It is a critical issue because an attacker can change any user’s password without any user interaction.

This attack does not require any interaction from the victim to perform any actions and yet the account can be taken over by the attacker.

An attacker can fully takeover any user’s account.

Recommendation: Below are the account takeover preventions.

1. Prevent Username Enumeration Vulnerability, So that User’s Email should not be disclosed by any means.

2. While user clicks on Reset Password link, make sure user’s email is encrypted while rendering at client side. If it so, then attacker cannot have idea whose email is this and what should by newly encrypted email value which will be accepted on web server.

References:

OWASP Broken Authentication:

https://owasp.org/www-project-top-ten/2017/A2_2017-Broken_Authentication

OWASP Broken Access Control:

A01 Broken Access Control - OWASP Top 10:2021

Please do like and follow for more reads.

Thanks!