Zero Click To Account Takeover
Hello amazing hunter.
Today, I want to explain one of my favorite reports which lead me to take over any user account without one click from user. My favorite endpoint for test is reset password function; In this endpoint we have a lot of different options for test.
Let me explain how my target works to reset password function. We can use phone number or email address, If we use phone number, we will give an OTP code. On the other hand if we use email addresses, we will give a link and token. Keep this information away and let’s talk about register function and JWT token.
In register function we must register with phone number , wait a minute…, I said in reset password we can use email too, but where we confirm our email address? here is honey moon :)
By the way, I said JWT token? all of us know that in body of JWT we access some information of our accounts, I always check JWT body and try to remember all of information for other attack. So, what do we have in body? some regular information such as name and phone number and one of the important parameters was “Sub: 123”.
I think it’s enough for start , Let’s play this game…
Ok everyone , i register in site with phone number; when i submit my email address , show me a pop up to say “click the link sent your email to confirm”
Oh man , it’s base64 encoded :)) let’s try to decode one by one:
- YXJlIHlvdSBraWRkaW5nIG1l8J+kqA== -> i can’t decode this part clearly , i guess it’s token
- d2hhdCBleGFjdGx5IHlvdSB3YW50Pz8/ -> oh man:) it’s my email address(ex: email@example.com)
- b2ggbWFuIGFyZSB5b3Uga2lkZGluZyBtZT8= -> is a number (123)
Wait. What ??😐😐😐 Token + email addresses + a number ???
where i saw this number? i guess the number is for detecting my account. Exactly, in my JWT token , i have a parameter(“Sub”: 123) with the same number.
I immediately create a new account as victim and i notice that the number of “Sub” grow one by one even create a new account.
Step By Step to Takeover:
- Create attacker account (“Sub”:123) and Victim account (“Sub”:124)
- In attacker account submit your email address to receive confirmation link
- Replace the last part of link(Sub) with base64 encoded of victim sub
- Open the poisoning link in Browser
- Back to the site and submit a reset password for email you use in step 2
- You will receive a link for change password.
- After changing password you will redirect to Victim account :)
It’s a piece of cake
I Hope this write up was Helpful for you. Have Good Day