Account Takeover through Password Reset – Bug Bounty POC
Hello Bug Bounty POC Viewers, Hope you are having a good time here reading Proof Of Concepts. Its me Hamid Ashraf and today i will be disclosing about Account Takeover through Password reset in a hackerone private website. So last month an invite came through my inbox and i decided to have a look into it. Later that that an article by my good Friend Salman poped into my head. And i decided to give it a try. So lets come to the real part how i did it.
I created two account :
Then i requested an password reset link for firstname.lastname@example.org , when i focused on the reset token it was looking like an base64 encoded i tried to decode it but no luck, than i though maybe the server is using an reversed key, so i reversed the key and decoded it. BOOM! The key was decoded, so after wards there was two things in the decoded key.
– Time stamp
So the main thing here was the time stamp, So the thing was guessing the timestamp. So I opened 2 windows. You can say mozila and chrome. Than i reduced the sizes of both windows so i can operate on both windows at the same time. So i entered email@example.com in one window and firstname.lastname@example.org in other window, So i had to make it quick so i requested both keys really quick. So than i got an key in email@example.com , i reversed it, decoded it and replaced the firstname.lastname@example.org with email@example.com. So again i decoded it , reversed it and tried to reset but the server was not accepting, So as i said above it took me an second to request both keys, So i again after reversing and decoding i increased the timestamp a bit higher because it took me an second to request the other. And guess what the server accepted it and i was able to reset any user password. Haha I know its really confusing guys but give your mind some hard time and try to understand it. I hope you guys enjoyed reading it.
Account Takeover through Password Reset – Bounty :
In the end i would like to thanks Salman Khan