Bug Bounty Tips: Uncovering Mass Account Takeover via Broken Access Control
Bug bounty tip of the week is by Vinay Sati. In this scenario, Vinay explores exploiting Broken Access Control (BAC) to execute a mass account takeover, with a subtle touch of “security by obscurity.”
1. Identifying the Password Reset Endpoint
The password reset endpoint, accessed via /api/u/resetPwd, accepts a POST parameter, “username,” and dispatches an email with the password reset link.
See the code snippet below for better demonstration:
POST /api/u/resetPwd
Parameters:
- username=user2. Observing an Unusual Endpoint Component
The “u” component in the API endpoint (/api/u/resetPwd) seemed unconventional and hinted at a potential admin password reset API.
See the code snippet below for better demonstration:
POST /api/admin/resetPwd // Unsuccessful
POST /api/administrator/resetPwd // Unsuccessful
POST /api/su/resetPwd // Successful!3. Successful Admin Password Reset Endpoint
By trying the /api/su/resetPwd endpoint, we successfully triggered a password reset. The new password was set as username+ab12*.
POST /api/su/resetPwd
Parameters:
- username=admin4. Password Structure After Reset
For instance, if the username is “admin,” the new password after reset becomes adminab12*.
5. Exploiting Lack of Authorization Checks
The critical flaw lies in the admin API endpoint (/api/su/resetPwd) for password reset, which lacks any robust authorization checks.
Conclusion
This case illustrates the significance of thinking creatively and delving deep into system components during bug bounty hunting. By identifying unusual patterns and meticulously testing endpoints, we uncovered a vulnerability leading to a mass account takeover. Always remember to report such findings responsibly, adhering to the bug bounty program’s guidelines.
