Hey Guys,
One more interesting blog explaining an interesting vulnerability that I have found recently in one of the Mobile Wallet Companies of India.
To login into any online website , we need to have an username which can be users registered mail id and password that he has set for it and if he doesn't remember his password, there is a Reset Password Feature which comes to help. While researching out for the vulnerability around this feature , I found a logical flaw by which I was able to reset any user password and login with the same to takeover his complete account.
Let's now enter into the explanation-
1. When I clicked on Reset password functionality for the account "testaccount09@gmail.com", received a mail saying "To reset the password , please click on the below link-" and the link was something -
One more interesting blog explaining an interesting vulnerability that I have found recently in one of the Mobile Wallet Companies of India.
To login into any online website , we need to have an username which can be users registered mail id and password that he has set for it and if he doesn't remember his password, there is a Reset Password Feature which comes to help. While researching out for the vulnerability around this feature , I found a logical flaw by which I was able to reset any user password and login with the same to takeover his complete account.
Let's now enter into the explanation-
1. When I clicked on Reset password functionality for the account "testaccount09@gmail.com", received a mail saying "To reset the password , please click on the below link-" and the link was something -
http://www._________.com/account/ resetpassword/ id=296417 token=dGVzdGFjY291bnQwOUBnbWFpbC5jb20=&vit=MjAxNi8xMC8yNQ==
2. Here 'id' is the identification number associated with the user account and 'token' is the base64 decoded registered mail ID of the user which here is "testaccount09@gmail.com" and 'vit' is the base64 decoded time stamp whose value in this case is "2016/10/25"
3. Researching more, I have found that the timestamp parameter is the expiry date of the reset password link which was here 2 days from the time user clicked on reset password.
4. Now comes the step of compromising user account. What I did is that I replaced the mail id of the user and encoded it to base64 in the reset password link and keep the timestamp value to 2 days ahead of the current date.
Victim mail id - varun09811@gmail.com
Base64 encoded value (Parameter = token) - dmFydW4wOTgxMUBnbWFpbC5jb20=
Timestamp value (Parameter = vit) - MjAxNi8xMC8yNQ=
5. The tricky part comes here is to find "id" associated with that particular user mail id. Since it's a 6 digit code so I tried brute forcing it via a python script and after a while, I found the right id associated with the victim mail id which happens to be id=254346 .( yes, this is something time consuming ).
6. So the tampered URL is -
http://www._________.com/account/ resetpassword/?id=254346& token=dmFydW4wOTgxMUBnbWFpbC5jb20=&vit=MjAxNi8xMC8yNQ=
I loaded the link in the browser, set the new password for it! and I was successfully able to login into his account. I had the complete access to his account, can use his wallet money , change registered mobile number and everything!
I reported this vulnerability to the concerned enterprise, and they were quick to patch it within 2 days.I thank the company for the small token of appreciation :)
That's all about it!
Do share your feedback.
Thanks
~logicbomb