My First Pre-Auth Account Takeover in 20 secs
Hello All, this is my first account takeover writeup and I hope it helps everyone. Taking over another user’s account is something that amazes everyone. There are several ways in which we can perform “Account Takeover”, but the one which I got is a bit interesting!!!
Note: The domain and other details have been masked to maintain Confidentiality.
Forgot Password is the best possible feature where most of the “Pre-Auth” account takeovers happen, so I started playing around with it.
I initiated a “Forgot Password” request with victim’s email id. The request looks like this:
It was only accepting “email_id” as the parameter and if correct email id is provided, the application sends an OTP to the registered mobile number. The response of this request looks like this:
It states that OTP has been sent successfully. In the response, there was a mobile number on which the OTP is sent. I tried adding “mobileNo” along with its value in the “Forgot Password” request itself, but no luck.
It was still sending the OTP to the registered Mobile number.
I tried bypassing the OTP validation, but nothing worked there as well.
Then, there was a “Resend OTP” feature which caught my attention. I initiated a “Resend OTP” request and captured it with “Burp Suite”. The request looked like this:
There was a mobile number parameter which was being passed, and it was the registered mobile number on which OTP is received.
So, I modified the value of “mobile_no” parameter to my mobile number and forwarded the request, as shown in the screenshot below.
Guess what, I received the OTP on my mobile number, as you can see below.
I entered the OTP and tried to reset the password. The application gave a success message😉.
I tried to login with the victim’s email id and the password which I had set, and the application allowed me to login, lol.
I had complete access to the victim’s account, and you know how it feels when you own an account.
Golden Tip: Make sure you check each parameter in every request and all the API endpoints. You never know when you will hit a Jack.
LinkedIn: Pawan Chhabria