How I Hacked User Accounts through Password Reset
I don't usually writeup my issues but I thought I should now starting sharing some of the issues which I've found. I mostly don't participate in Public Bug Bounties. I like to work for private sites. Like two months back, A company asked me to do the security test of their site. As always, I instantly started finding vulnerabilities in their site. I found so many and then I actually found the super serious one! Yes, I was actually able to reset password of any user account.
But wait! That was not easy. There was a so much use of logic. I was actually able to change password of the other user accounts through Password Reset function. I was able to do that by guessing the password reset token. I actually used my 2 personal email addresses for at the time of finding, but here I'm gonna use firstname.lastname@example.org and email@example.com for demonstration.
So I actually requested password reset for account firstname.lastname@example.org and I got the below password reset key:
I kept looking the password reset token and I then after few minutes realized that it looks like a Base64 Encoded key. I tried to decode it but It was unsuccessful. But I was sure that it is Base64 Encoded key not md5 etc... encrypted key. Then I kept trying to figure out what it actually it is. Then I reversed this key and then the key was:
Then I decoded the key with Base64 Decoder and Hurrayyy! It was successful. Yeyyy! The key was successfully decoded. It contained:
Now even Aliens knows that the first thing is your own email address but what is that second thing? I started thinking what it could be. I was looking at it and kept looking. Then I asked 2-3 password reset tokens and instantly decoded them so I found out that the just 2 last figures were change from those numbers. Then I realized that it is some kind of Time Stamp. Now it was action time. Guess what how can I hack other users through this?
To guess the password reset token you need the victim's email address and the exact time stamp. Then encode it into base64 key and reverse it. Genius? Did you get it yet how to do that? No? Keep reading...
So as I said, The reset key is actually based on the email address and exact time key. So the challenge was to guess the exact time stamp. But I instantly got a way to guess that. What I did it, I opened 2 windows of my browser and opened that page of the site where we request the password reset token. I opened that page on both windows, I changed the size of the windows to small so I can page on both windows at the same time. In one browser I wrote email@example.com in the email field and on the other window I wrote firstname.lastname@example.org. (I know you didn't get it. See the below image to understand it.)
Then I pressed the submit button at the same time. (I mean first the email@example.com and then instantly firstname.lastname@example.org). The I opened the key which I received on my email@example.com and I decoded it and got the time stamp. I replaced the email with firstname.lastname@example.org and the time stamp was same and I encoded + reversed the key and I had a token. I put that but the server said it is invalid. I increased the last figure of the time stamp(Because It took me a second in pressing email@example.com's password reset request after firstname.lastname@example.org) and again encoded + reversed it and then I put it on the server and yes it was correct, I guessed it. Then what? I was able to change the password 3:)
As I stated in the start that I've never wrote about my issues so I'm not good in writing but I hope you've understood it. Feel free to ask me in the comments :)
For Base64 Encoding: https://www.base64encode.org
For Base64 Decoding: https://www.base64decode.org
For Reversing: http://textmechanic.com/Reverse-Text-Generator.html