• Get in Touch
  • hi@isalmankhan.com
go back

How I was able to change any User's Password

31 May, 2015

Hello!


First of all thanks guys for your good responses on my first ever (previous) writeup. I'm back with another PoC. I don't have much time right now, I wanted to share another PoC but that will take huge time (Don't worry I will write it later) so I have decided to write this one.


Again in another website I was able to guess the password reset token easily which allowed me to change the password of any user. This one is easy but took me time to actually find out how to do it. Anyway, to change the password of any account just the email address of the victim was needed.


So I was asked to do the security test of a private site and as usual I tested password reset function as well. I asked password reset for email hacker@gmail.com (Actually was my personal email address but I'm writing hacker@gmail.com here) and go the below password reset token:


b4cd3c3936b93c1ea51774067426cf575acd26e6371c1e32e65ac6e178d16caf58ffe180f07
e224e7270b1ecc1b82e1a0447ef83cd39dceea82d61781d80ec29


I started looking at to it and actually I didn't know what it is. It's a long key, I ignored it and requested password reset again 2-3 times and found out that it actually gave me the same reset token. I change password with this key and again requested a password reset and again the password token was the same. It was clear that the token is not changing whenever you request a password reset. Then I remembered that the token for email verification is same as well. Then it was clear to me that this key contains the email address of the user.


Now the challenge was to find out what type of hash it is. I was just 1 step away from success. I then opened an encryption site (Link in Tools Used section) which encrypts your input to every hash as well as it decrypts your input. It is easy to encrypt an input but it is hard to decrypt hashes. So I decided to not to try decoding atleast and I entered hacker@gmail.com and it encrypted it to every type of hash like md2, md5, etc... I already had the key copied so I pressed CTRL+F and pasted that key and it exactly matched a key which was SHA512 hash key.


So the things were clear. All you need is the email address of the victim and then encrypt it with SHA512 encryption and that was the reset key. Then the action was, Just put the key in the forgot password link and done! I was able to change the password.


Tools Used:

For Encryption: http://md5hashing.net
For SHA512 Encryption: https://md5hashing.net/hashing/sha512#main


Conclusion:

Always check the password reset function of the site carefully which you're testing. You may find such a big issue like account takeover. Always check the password reset key, Try to sort out which kind of hash it is based on, What it could contain etc...


Ps: My writeup looks so ugly & confusing upon hiding the site name and url but I hope it increases your knowledge.

Comments