Sunday, 23 October 2016

User Account Takeover via Reset Password Functionality

Hey Guys,

One more interesting blog explaining an interesting vulnerability that I have found recently in one of the Mobile Wallet Companies of India.

To login into any online website , we need to have an username which can be users registered mail id and password that he has set for it and if he doesn't remember his password, there is a Reset Password Feature which comes to help. While researching out for the vulnerability around this feature , I found a logical flaw by which I was able to reset any user password and login with the same to takeover his complete account. 

Let's now enter into the explanation-

1. When I clicked on Reset password functionality for the account "testaccount09@gmail.com", received a mail saying "To reset the password , please click on the below link-" and the link was something - 
 http://www._________.com/account/resetpassword/ id=296417 token=dGVzdGFjY291bnQwOUBnbWFpbC5jb20=&vit=MjAxNi8xMC8yNQ==  

2. Here 'id' is the identification number associated with the user account and 'token' is the base64 decoded registered mail ID of the user which here is "testaccount09@gmail.com" and 'vit' is the base64 decoded time stamp whose value in this case is "2016/10/25"
        

3. Researching more, I have found that the timestamp parameter is the expiry date of the reset password link which was here 2 days from the time user clicked on reset password.

4. Now comes the step of compromising user account. What I did is that I replaced the mail id of the user and encoded it to base64 in the reset password link and keep the timestamp value to 2 days ahead of the current date.

          Victim mail id - varun09811@gmail.com
          Base64 encoded value  (Parameter = token)                                                     - dmFydW4wOTgxMUBnbWFpbC5jb20=
          Timestamp value (Parameter = vit) - MjAxNi8xMC8yNQ= 
     

5. The tricky part comes here is to find "id" associated with that particular user mail id. Since it's a 6 digit code so I tried brute forcing it via a python script and after a while, I found the right id associated with the victim mail id which happens to be id=254346 .( yes, this is something time consuming ).

6.  So the tampered URL is - 
http://www._________.com/account/resetpassword/?id=254346&       token=dmFydW4wOTgxMUBnbWFpbC5jb20=&vit=MjAxNi8xMC8yNQ=











I loaded the link in the browser, set the new password for it! and I was successfully able to login into his account. I had the complete access to his account, can use his wallet money , change registered mobile number and everything!

I reported this vulnerability to the concerned enterprise, and they were quick to patch it within 2 days.I thank the company for the small token of appreciation :) 

That's all about it! 
Do share your feedback.

Thanks
~logicbomb

No comments:

Post a Comment