Open in app

Sign up

Sign in

Write

Sign up

Sign in

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. Subscribe to our weekly newsletter for the coolest infosec updates: https://weekly.infosecwriteups.com/

Follow publication

How BAC(Broken Access Control) got me a Pre Account Takeover

Introduction:

Hey Hackers!!!

This is a writeup about one of my recent findings on a VDP. I found a Broken Access Control bug which was eventually leading to Pre-Account Takeover. Lets head on to our main story…

Story of the Bug:

It was a typical, boring and unexciting Saturday, I was looking for something to kill the time. So, I decided to do some bug hunting. With the help of this Bug Bounty Google Dork list I found a program to test my skills.

When I signed up on the web application, I discovered some interesting features like creating groups and inviting users. As a bug hunter, it felt like stumbling upon a treasure chest of possibilities, I started manually hunting for Vulnerabilities in Password Reset and 2FA Functionality but I got nothing there. So I went for User Manager option to test without wasting any more time.

Next, using a test account called “attacker@778899gmail.com” I invited myself to the platform. Then, I explored the User Manager option to see what information I could find.

There we got some basic info about the invited user like name, login, email… Here the login field is responsible for password change, But I was not allowed to change the login and email field of the invited user.

Not allowed to change Login and Email

I intercepted the request and attempted to modify the login parameter, hoping it would give me Account Takeover to the invited user’s account. Unfortunately, my plan didn’t work out as expected. However, I didn’t give up just yet.

So I went to change the Email address to “victim778899@gmail.com” by intercepting the request and to my surprize it actually changed the email address of the invited user on the front-end as well as on back-end.

Change the email parameter in request body
Email Successfully changed

I know this is a Low Severity bug, but this is an intresting find for me, So I couldn’t resist sharing this writeup with all of you.

Impact:

This vulnerability can lead to Per Account Takeover of any unregistered user and an attacker can misuse the identity of the victim.

Timeline:

25-March-2023 >> Bug Reported

20-June-2023 >> They patched the vulnerability & marked it as low severity.

Their Response

If you guys like this writeup and learned something valuable then do hit the clap 👏 X 50 times.

Feel free to connect with me on Linkedin and Twitter.

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Sign up for free

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Try for $5/month
Bug Bounty
Infosec
Cybersecurity
Bug Bounty Tips
Hacking
InfoSec Write-ups
InfoSec Write-ups
Follow

Published in InfoSec Write-ups

57K Followers
Last published 13 hours ago

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. Subscribe to our weekly newsletter for the coolest infosec updates: https://weekly.infosecwriteups.com/

Follow
Bharat Singh
Bharat Singh
Follow

Written by Bharat Singh

329 Followers
83 Following

Cybersecurity enthusiast who plays CTFs and do Bug Bounty for fun. >>>>https://www.linkedin.com/in/bharat-s1ngh/<<<<

Follow

Responses (2)

Write a response

What are your thoughts?

Help

Status

About

Careers

Press

Blog

Privacy

Rules

Terms

Text to speech