Account Takeover through Password Reset

by admin · Published March 13, 2016 · Updated March 13, 2016

[ads]

Account Takeover through Password Reset – Bug Bounty POC

Hello Bug Bounty POC Viewers, Hope you are having a good time here reading Proof Of Concepts. Its me Hamid Ashraf and today i will be disclosing about Account Takeover through Password reset in a hackerone private website. So last month an invite came through my inbox and i decided to have a look into it. Later that that an article by my good Friend Salman poped into my head. And i decided to give it a try. So lets come to the real part how i did it.

I created two account :
Hacker@gmail.com
Victim@gmail.com

Then i requested an password reset link for hacker@gmail.com , when i focused on the reset token it was looking like an base64 encoded i tried to decode it but no luck, than i though maybe the server is using an reversed key, so i reversed the key and decoded it. BOOM! The key was decoded, so after wards there was two things in the decoded key.

– Time stamp
– Email

So the main thing here was the time stamp, So the thing was guessing the timestamp. So I opened 2 windows. You can say mozila and chrome. Than i reduced the sizes of both windows so i can operate on both windows at the same time. So i entered hacker@gmail.com in one window and victim@gmail.com in other window, So i had to make it quick so i requested both keys really quick. So than i got an key in attacker@gmail.com , i reversed it, decoded it and replaced the attacker@gmail.com with victim@gmail.com. So again i decoded it , reversed it and tried to reset but the server was not accepting, So as i said above it took me an second to request both keys, So i again after reversing and decoding i increased the timestamp a bit higher because it took me an second to request the other. And guess what the server accepted it and i was able to reset any user password. Haha I know its really confusing guys but give your mind some hard time and try to understand it. I hope you guys enjoyed reading it.

Account Takeover through Password Reset – Bounty :

Account Takeover through Password Reset

In the end i would like to thanks Salman Khan

Tags: Account Takeover through Password Reset Bug bounty POC Hackerone

Ciph3r00t says:

March 13, 2016 at 11:08 am

How about reverse key part….. need some more info on dat part…

Reply
- admin says:
  
  March 13, 2016 at 11:29 am
  
  ‘ABC’ reserve this to ‘CBA ‘
  
  Reply
Patrice Tarangelo says:

April 30, 2016 at 5:23 am

I like the helpful information you provide in your articles. I will bookmark your weblog and check again here frequently. I’m quite sure I will learn many new stuff right here! Best of luck for the next!

Reply
- Hamid Ashraf says:
  
  April 30, 2016 at 12:42 pm
  
  Thanks 🙂
  
  Reply
Abhishek says:

March 20, 2019 at 1:50 pm

Can you make video on it so I better understand about it

Reply
SHADOW says:

August 20, 2019 at 6:23 pm

Its Really awesome bro,can u plz post about different encoding techniques

Reply