IDOR leads to Change the password of all users (ATO).
Hi Mates,, I am Akash Patil (@skypatil98) from India . I am in bug bounty field from last 2 years. Today I’m gonna share an interesting Tale of IDOR leads to Change the password of all users (ATO). This is my 1st article so if there is any grammatical mistakes , leave on it. Without wasting any time we will start on article.So let’s get started! 😉
Let’s consider the target as
target.com
which is an online store management system.I quickly signed up with necessary information and created & Verified both accounts for testing purposeAccount 1 (abc@gmail.com) & Account 2 (xyz@gmail.com)
Lets directly come to the point.i visited the forgot password functionality to check how its working.I enter the email Account 1: abc@gmail.com
Click on forgot password and check the email.
Reset password link look like below http://target.com/forgotpswd/SID1001
As you can see user-id parameter is disclosed in the reset password link.
Change that parameter value from SID1001 → SID1002 and enter the 2nd Account Email Address. Account 2 (xyz@gmail.com)
& click on submit.
After submitting time to check the 2nd Account Password Changed or Not
Just type the 2nd account email id and enter the new password which we updated in the above step.
Yeah, just easy account takeovers…!!!wait wait wait ⬇️ read below imp sections too 😉
===
Reproduction steps:
(1) Create two accounts for testing ACCOUNT1 & ACCOUNT2
(2) Request for reset password for ACCOUNT1
(3) After getting the reset password link we can see the SID parameter is disclosing in the link just change the SID Parameter value to 2nd Account. i.e SID1001 → SID1002
(4) Enter the 2nd ACCOUNT email id and new password then Submit the request ( I created 2nd account for testing purpose to prove that passwords are Actually changed successfully or not)
(5) Yeah..we are successfully able to change the password of another users.
===
Takeaway(s):
(i) Now maybe some of you have a question that how I grab the id’s ?
These ids are numeric so there is no special logic behind it we can brute force it.
(ii) Now we change the password but how we can able to log in its still need valid emails which I am not aware of so for that just simply via user enumeration we can identify the valid emails and login into their account :)
(iii) After spending few hours on the target http://target.com/forgotpswd/SID1001 I can see that this endpoint doesn't have a rate limit so we can brute force that particular parameter to change the password of all the users with the same password😂😂.
===
Thanks for reading.If you have any question you can dm me on Twitter 😊