Hello there, i am Faiyaz Ahmad currently studying B.tech in computer science(2nd year) and today i want to share my journey of how i found a critical vulnerability by which i can takeover anyone’s account.
Well, I was looking for a program with no bounties as a reward but a hall of fame for those who submitted valid vulnerability. After searching for around 5 mins, I finally found a program(sorry i can’t tell their name as per their disclosure rules) let’s say program.com.
After that i immediately started subdomain enumeration and started hunting on the main domain(which is very bad idea if you are a noob like me) and after searching for like 2–3 hours i ended up with nothing.
Then i was totally depressed and thought that maybe i should read more write-ups, books or watch how other hackers are doing things. After i done my reading enough, i got motivated again and started looking for bugs again.
Soon after 1 hour, i find a domain (programfashion.com) and i thought (hmmm..this domain looks interesting maybe i should look for vulns here). After that i clicked on that domain and what i saw first is the login functionality of that web app. This time i wanted to find a bug with most impact so i thought why not find a bug that can takeover anyone’s account.So i tried testing the login functionality and found out that:
1- We can create accounts using phone numbers as well as email.
2- If we try resetting our password, if the user has created an account using phone number then an otp will be send to that number else the otp will be sent on the email.
After analyzing this two things, i fired up burpsuite to see what is going behind the scene and found that if we try resetting our password an extra parameter(customer_email) is also sent to the server.
After seeing this, i tried to add my email that parameter and guess what….the otp got sent to both customer_email an customer_mobile and i was like:
This is what happening: If someone has registered his/her account by email then by abusing the above functionality attacker can get otp to his/her mobile.
So here is how an attacker can abuse this functionality:-
1- Attacker will go to the reset password page.
2- There, attacker will add victim’s registered email(say [email protected]) and add his phone number(say 1234567890).
3- Now attacker have the valid otp for [email protected] on his mobile. He/She can access victim’s account.
The problem is that if someone’s registered their account through phone numbers, then they don’t have to worry about anything. But still, we can access anyone’s account who have registered by emails. After finding this bug, I quickly reported this to them after that their senior engineer called me and discussed about this vulnerability and also told me to not disclose their program. 5 days after, I finally got my name in their hall of fame list.
Here’s what you get from this write-up:
1- Never give up..just keep trying..if things are not going well…just get more knowledge from write-ups, videos, etc
2- If you are a beginner, always try finding bugs on subdomains.
3- Always follow the road less traveled 😉
4- Keep learning
So, this was all about how i got my first account takeover bug and got my name in hall of fame. This is my first write-up so please forgive me if there is any kind of mistake.
Thanks for reading.. Peace Out!