Hello Folks, Vinay Jagetiya(princej_76) again with another writeup!!!
I will explain how I got account takeover due to authentication failure.
Site functionality had two type of accounts one is admin and another is general user.
- Login to admin account.
- Admin can send invitation to someone for joining his organization on the app.
- When sending invitation, <user id> of receiver is leaked in response.
In another browser craft a url as “https://api.website.com/authentication/signup?invitationId=<user id>
(additionally you can play with URL, like replacing signup to reset-password, you might be able to change password without authentication)
It will lead to set password page without any confirmation from actual user.
And the pending requests will be accepted automatically.
Got bounty *€€€*
If you like this article you can connect me on: