Booking.com Token Issue – Bug Bounty POC
This post is published by Lnazi Jubaer as a contributor on Bug Bounty POC .Note that the post is written by Lnazi Jubaer & any mistake in writing will be entertained only from him We allow anyone to write contents on our blog as a guest/contributor so other can also learn.If you’re interested in sharing your finding through Bug Bounty POC Platform just sign up on blog and you can post freely.
Hello Bug Bounty POC viewers,Im Lnazi Jubaer , And Today I Wanna Share A Bug Report Which I Found On Booking.com!
This bug was quite interesting because i never thought it’d lead to account takeover , so while i was pentesting the site i didn’t find anything suitable for me to pentest because it was a booking site and it had no forums or chats so that i can effect other users with my testing!
But then i thought why not try something with the password? so i logged out and tried to intercept the requests when the site sends a reset mail to my email
while doing this i got bored and went back to my mailbox and i saw that i have recieved 19mails which are from booking and all the emails were containing a password token
so i clicked the first reset link which i got from booking and boom i was able to change the password
so its clear that the old tokens were not getting erased thats why i was able to access the first reset token
I reported it to booking.com, First they said its not a valid security issue but after exchanging few mails they were convinced that the tokens can be somehow risky
so they decided to accept it as a security issue and also rewarded me with a bounty