Account Takeover

--

Hello Folks, Vinay Jagetiya(princej_76) again with another writeup!!!

I will explain how I got account takeover due to authentication failure.

Lets Begin!!!

Site functionality had two type of accounts one is admin and another is general user.

  1. Login to admin account.
  2. Admin can send invitation to someone for joining his organization on the app.
  3. When sending invitation, <user id> of receiver is leaked in response.

In another browser craft a url as “https://api.website.com/authentication/signup?invitationId=<user id>

(additionally you can play with URL, like replacing signup to reset-password, you might be able to change password without authentication)

It will lead to set password page without any confirmation from actual user.
And the pending requests will be accepted automatically.

Got bounty *€€€*

If you like this article you can connect me on:

Twitter: https://twitter.com/princej_76

Linkedin: https://www.linkedin.com/in/vinay-jagetiya/

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

--

--

Vinay Jagetiya (princej_76)
Vinay Jagetiya (princej_76)

Written by Vinay Jagetiya (princej_76)

Security Researcher | Found 500+ vulnerabilities | HOF from 30+ Organizations.

Responses (1)

Write a response