How I chained multiple High-impact vulnerabilities to create a critical one.
Hello Everyone!!! I am Vinay Jagetiya (princej_76) and I am back again with my one of the most interesting finding.
I will explain how I found high impact vulnerabilities and chained them to create critical one.
Here we go!!!
Lets say the domain is ‘xyz.com’. I created an account and it created a subdomain of my username for my profile (username.xyz.com).
I logged in with my email and password and entered my mobile number and saved. I got link on my email to get my number verified.
The link was like ‘username.xyz.com/<token>’ (and token was an integer like ‘xxxxxx’)
I thought to tamper with that token so i changed (incremented and decremented the token number).
After some 404 errors, at some tokens I got redireced to other users subdomains for mobile verification.
I can now see User’s name, email id, his/her subdomain address and Phone number, with a button for mobile verification so I clicked on that button and it sent an OTP on the respective number, hence I didn’t have access to OTP so I tried response manipulation and it worked, I changed reponse in burp-suite.
Then it redireccted me to enter new password. I entered new password.
Now I had everything his credentials, his profile subdomain, username.
So I logged in to the account(s) and I took over many user account, even suspended accounts, which i can reactivate by generating ticket in help center.
SUMMARY: Those were three high or critical vulnerabilities (PII, OTP bypass and Account takeover) chained together to form a mass account takeover without social engineering or user interaction.
If you like the blog you can connect me on
Twitter: https://twitter.com/princej_76
