Pricing

HomeBlogBug Bounty Tips and Blog PostsBug Bounty Tips: Uncovering Ma...

Bug Bounty Tips: Uncovering Mass Account Takeover via Broken Access Control

Can Engin

Can Engin

Bug Bounty Tips: Uncovering Mass Account Takeover via Broken Access Control

Bug bounty tip of the week is by Vinay Sati. In this scenario, Vinay explores exploiting Broken Access Control (BAC) to execute a mass account takeover, with a subtle touch of “security by obscurity.”

1. Identifying the Password Reset Endpoint

The password reset endpoint, accessed via /api/u/resetPwd, accepts a POST parameter, “username,” and dispatches an email with the password reset link.

See the code snippet below for better demonstration:

POST /api/u/resetPwd
Parameters:
- username=user

2. Observing an Unusual Endpoint Component

The “u” component in the API endpoint (/api/u/resetPwd) seemed unconventional and hinted at a potential admin password reset API.

See the code snippet below for better demonstration:

POST /api/admin/resetPwd   // Unsuccessful
POST /api/administrator/resetPwd   // Unsuccessful
POST /api/su/resetPwd   // Successful!

3. Successful Admin Password Reset Endpoint

By trying the /api/su/resetPwd endpoint, we successfully triggered a password reset. The new password was set as username+ab12*.

POST /api/su/resetPwd
Parameters:
- username=admin

4. Password Structure After Reset

For instance, if the username is “admin,” the new password after reset becomes adminab12*.

5. Exploiting Lack of Authorization Checks

The critical flaw lies in the admin API endpoint (/api/su/resetPwd) for password reset, which lacks any robust authorization checks.

Conclusion

This case illustrates the significance of thinking creatively and delving deep into system components during bug bounty hunting. By identifying unusual patterns and meticulously testing endpoints, we uncovered a vulnerability leading to a mass account takeover. Always remember to report such findings responsibly, adhering to the bug bounty program’s guidelines.

A tip from BugBounter for bug bounty hunters: would you like to be featured on social media with your bug bounty tip? – Sign up on BugBounter, and contact us with your bug bounty tip.

Did you like this article? Spread the word!

Similar Posts

Shopping Basket