Account Takeover Using Password Reset Token Prediction

Password Reset Token Prediction Using Password Reset Functionality

While researching and working on bug bounties I have found another way that by using Password Reset Functionality, Token & Link we can Takeover all the users account of a website if that site is vulnerable to this type of attack.

Using this vulnerability the attacker can predict the password reset token for any victims account by sending the password reset request into the victims account and in this way he can also reset all passwords of all the accounts and can successfully compromise the victims account as the password reset link sent to the user includes the password reset token which is predictable by the attacker.

Please Note: The password reset request has to been sent 1st on your own email id and then on the victims email id as if you send it only on your email id then you can't forcely generate it for the vicitms email id. Also keep in mind that the whole tokens each values can be incremental or few values or only one value can be incremental.

Steps to Execute the Attack:

There was a precondition that an attacker shall now the victims email id only :).

1. 1st the attacker sent the password reset request in his own emaild id attackeremailid@gmail.com after that quickly he sends the password reset request on the victims email id victimemailid@gmail.com using the below mentioned password reset request link.  

https://testsite.com/account/resetpassword

2. Now the attacker will receive as password reset link on his own email id attackeremailid@gmail.com the link will be as mentioned below.

https://testsite.com/account/resetpassword?code=GH193733-5mq1-0a37-e051-43fefa0aaed6


3. For token analysis I created 2 test accounts using which I found that if we send the password reset request 1st on our own email id and after that if we quickly send the another password reset request on any victims email id then we can predict the password reset token for any victims account, as the password reset token values GH193733-5mq1-0a37-e051-43fefa0aaed6 for 9th 10th 11th &12th characters are changing in incremental way for the next users password reset token.

4. So as the attackers own password reset token is GH193733-5mq1-0a37-e051-43fefa0aaed6 then he can predict the victims password reset token also and it will be GH193733-6nr2-0a37-e051-43fefa0aaed6


5. The crafted password reset link to reset and compromise the victims account will be as mentioned below.

Crafted Url to Reset the password of the Victims Email ID(i.e account)victimemailid@gmail.com:
https://testsite.com/account/resetpassword?code=GH193733-6nr2-0a37-e051-43fefa0aaed6

Impact: 

The token generated for the password reset link isn’t random for each password request, allowing an attacker to predict the token values for a known email address and reset their password. This provides a trivial route for an attacker to gain access to accounts or cause a  denial of service to users on the Application.

Recommendation:  

The recommended approach is to generate a onetime token on each password reset request which is linked to the user account, the token value shall not be preditcable values and it shall expire once the password has been reset. Additionally, ensure if the identifier is not passed that this won’t default to updating all accounts.

Also the Input from the user should be treated as untrusted and re-validated when sent to the server.

So in this way one can Takeover on any victims accounts using the Password Reset Functionality, Token & Link also this way can be used to find same type of vulnerabilities on many different websites.

Suggestions and Feedbacks are welcome.

Account Compromise Using Password Reset Vulnerability

Account Compromise Using Password Reset Link

While researching and working on bug bounties I have found that by using Password Link we can Takeover all the users account of a website if that site is vulnerable to this type of attack.

Using this vulnerability the attacker can modify the email to any victims email to change their password and in this way he can also reset all passwords of all the accounts and can successfully compromise the victims account as after opening the password reset link sent to the user it show the email id input field with attacker@gmail.com email id which was editable input field and also 2 more blank fields to change the new password and the password reset token can be used for other users. 

Please Note: There is no need to decode the password reset token values etc nor there was any client side validation.

Steps to Execute the Attack:

1. Open https://site.com/members/setup-password/14aaef7bb41ed6e4b46d09298ec1bfc6a483623d/
its will display email filed with attacker@gmail.com email id and the 2 blank field to change the password.

2. now the attacker will change the mail id to victim@gmail.com and will submit his desired password and then he will submit this password reset form.

3. now you will see that the other users victim@gmail password will be changed and the attacker will be logged into the victims account i.e victim@gmail.com

So in this way using the above mentioned steps the attacker can easily compromise any users account of that website.

Password Reset Vulnerability POC Screenshot:

Attackers Email ID: attacker@gmail.com and his password reset link:

https://site.com/members/setup-password/14aaef7bb41ed6e4b46d09298ec1bfc6a483623d/

 So in this way the attacker can Takeover on any users account.

                                       

Impact: 

The token generated for the activation link isn’t re-checked and no validation is done for associated emailID field, allowing an attacker to change the value to a known email address and reset their password. This provides a trivial route for an attacker to gain access to accounts or cause a  denial of service to users on the Application.

Recommendation: 

Input from the user should be treated as untrusted and re-validated when sent to the server. The recommended approach is to generate a onetime token which is linked to the user account, this can be passed with the onetime random token and shall expire once the password has been reset also the email parameter shall not be editable. Additionally, ensure if the identifier is not passed that this won’t default to updating all accounts.

So in this way one can Takeover on the victims accounts using the Password Reset Link also this way can be used to find same type of vulnerabilities on different websites.

Suggestions and Feedbacks are welcome.

Account Takeover Using Password Reset Vulnerability

Account Takeover Using Password Reset Functionality

While researching and working on bug bounties I have found that by using Password Reset Functionality, Token & Link we can Takeover all the users account of a website if that site is vulnerable to this type of attack.

Using this vulnerability the attacker can modify the email md5 hash to any victims email md5 hash to change their password and in this way he can also reset all passwords of all the accounts and can successfully compromise the victims account as the password reset link sent to the user includes the email address md5 hash and also the password reset token can be used for other users. 

Steps to Execute the Attack:

There was a precondition that an attacker shall now the victims email id md5 hash value.

Attackers Email ID: attackeremailid@gmail.com and his password reset link:
http://testsite.com/reset-password/74o4s384549484c4k4v506t4d5a3e5n5k444j4g5j4o4c553l454h464m474/74q55426l4q5u5m5c4s5l5m5n5t2102fadb4bd021805624f06ea4c8e4d38

The 1st part in the password reset Url before '/' is password reset token and the second part is the md5 hash of the users email id in which the 1st 28 values (74q55426l4q5u5m5c4s5l5m5n5t2) are same for each users email ids and the remaining last values were different for each users email id as they were the users email id md5 hash value. So, the attacker can decrypt the email hash values easily using the online available md5 encrypters and decrypters like: http://md5decryption.com also sometimes some websites use base 64 encoding(or other encodings) which can also be easily decrypted using the online available base64 encoders and decoders like: http://ostermiller.org/calc/encode.html.

Attackers Email ID: attackeremailid@gmail.com md5 hash value:

102fadb4bd021805624f06ea4c8e4d38

Victims Email ID: victimemailid@gmail.com md5 hash value:

05ebb8fb6ec39f50d33e19cd5719084d

1st 28 values which is same for each users email id hash:
74q55426l4q5u5m5c4s5l5m5n5t2

Crafted Url to Reset the password of the Victims Email ID(i.e account)victimemailid@gmail.com:
http://testsite.com/reset-
password/74o4s384549484c4k4v506t4d5a3e5n5k444j4g5j4o4c553l454h464m474/74q55426l4q5u5m5c4s5l5m5n5t205ebb8fb6ec39f50d33e19cd5719084d

So in this way the attacker can Takeover on any users account.

                                       

Impact: 

The token generated for the activation link isn’t re-checked and no validation is done for associated emailID field, allowing an attacker to change the value to a known email address md5 hash value and reset their password. This provides a trivial route for an attacker to gain access to accounts or cause a  denial of service to users on the Application.

Recommendation: 

Input from the user should be treated as untrusted and re-validated when sent to the server. The recommended approach is to generate a onetime token which is linked to the user account, this can be passed with the onetime random token instead of the email ID hash value and expired once the password has been reset. Additionally, ensure if the identifier is not passed that this won’t default to updating all accounts.

So in this way one can Takeover on the victims accounts using the Password Reset Functionality, Token & Link also this way can be used to find same type of vulnerabilities on different websites.

Suggestions and Feedbacks are welcome.