Hello Hunters, this is a quick write up on one of my recent findings on a bug bounty program. Before jumping into the vulnerability, let us get familiarized with few terms.

What is PII Leakage?

Personally identifiable information (PII) is any data that could potentially identify a specific individual, such as username,userID or any other personal information. PII Leakage is the exposure of such data.

What is Account Takeover Vulnerability?

It is a type of vulnerability that allows hackers to take full control of the user’s account by exploiting a flaw in the application’s logic.

Since the program does not allow disclosure, let’s consider the program as redacted.com. It started when i began to test the reset password functionality of the target. Just like any other website, the forgot password on https://redacted.com/forgotpassword also sent a email to the registered mail address for the password change. The reset password link was as below:

https://redacted.com/forgot_password/5f12cc7079f273.12051864/1597479504/NTg4NTg4a2lsbGVyQGdtYWlsLmNvbWFzZGZnaGprbDkxODI3Mzc0NjUwMDA=+++NTg4NTg4a2lsbGVy+++NTg4NTg4

The link did not expire even after changing the password.Weird Right!!. Requesting for reset password once again gave the following link:

https://redacted.com/forgot_password/8ac79ccf2a33.12057854/1597486704/NTg4NTg4a2lsbGVyQGdtYWlsLmNvbWFzZGZnaGprbDkxODI3Mzc0NjUwMDA=+++NTg4NTg4a2lsbGVy+++NTg4NTg4

The thing to observe is that the last part of the URL is same for both the link.

After analyzing the above link:

1597486704 → Unix Time Stamp

The last part of the url was base64, decoding which gave the following:

[email protected]+++588588killer+++588588

Here, 588588 is my User ID and [email protected] is my email address. But wait, what was the gibberish look-alike thing [asdfghjkl9156837463000]?

Nevermind, after playing with the link for some time, I found that only the last part of the URL I,e the userID was being validated by the server for the password reset.

https://redacted.com/forgot_password/5f12cc7079f273.12051864/1597479504/NTg4NTg4a2lsbGVyQGdtYWlsLmNvbWFzZGZnaGprbDkxODI3Mzc0NjUwMDA=+++NTg4NTg4a2lsbGVy+++[VALIDATED_PART]

So now, If i knew the userID any user, I could change his password with ease. Win? Nah!!

Now the goal was to find the spot where the UserID of the users were revealed or leaked. After a couple of days of recon I was able to find an IDOR on an endpoint in an javascript file .The endpoint only required the userID parameter, which leaked many sensitive pieces of information such as username, email address and even residence address that belonged to that userID.

IDOR Link:

https://redacted.com/razor/verify_email?rand=588588&request=wcq

Now all I had to do was enumerate to the email address for each user ID via brute force. [PS: UserID 1 belonged to the admin ;)]

IN BRIEF:

Enumerate the userID and EmailAddress from the endpoint → Reset the password → Login with the new password → Full Account Takeover

PS: The website stored personal information such as bank account number, PAN,Adhar card and other sensitive data which could be accessed after signing to the victim’s account.

Thank you for the read !!

In collab with Spyder

Follow me on Twitter

killer007

Support

https://www.buymeacoffee.com/killer007