I’m going to talk about a common and strange password reset system that I have seen many times while doing bug hunting or just formal penetration testing engagements and in many cases this system opens the door to the attacker to takeover user’s accounts.
The story started when I was going to reset my account password on a private program on HackerOne, and while doing that, I found something interesting. After I changed my password successfully via password reset URL, I noticed the following request:
From the first glance, you may think that this request is vulnerable to IDOR vulnerability, But I tried to change (“Email”) parameter to be another email address that isn't associated to my account, Afterward, I got 403 response, so I asked myself why this is not working even there is no any password reset token attached on the request or even any authorization headers.
Maybe server is validating the authorization by the cookies? I tried to change the cookie value and still got the same response 403.
After digging more into this, I knew how this system is already working, This system works as follows.
1. User A starts to reset the password of User B.
2. User B receives the reset link and clicks on it.
3. Now, this API endpoint will allow user A to change the password of user B using his email since the authorization process has been completed.
When the user clicks on the requested reset password link, this means to the server that the user has clicked on the reset password link that he asked for it, but in the fact he didn’t, the attacker who has requested the reset password.
Then we can takeover the user account in the following cases
1. the case of a user started the reset password via email, but he opened the link of reset token and didn’t complete it , maybe he remembered the password during the process of resetting it, now we change his password in that case since we have a valid authorization process.
2. the attacker start to reset the password of the user via his email address, and when the user opens the reset password link, he received on his email. The web app will permit the attacker to change the password of the victim through this endpoint using his email address.