Zero Click To Account Takeover

Hello amazing hunter.

Today, I want to explain one of my favorite reports which lead me to take over any user account without one click from user. My favorite endpoint for test is reset password function; In this endpoint we have a lot of different options for test.

Let me explain how my target works to reset password function. We can use phone number or email address, If we use phone number, we will give an OTP code. On the other hand if we use email addresses, we will give a link and token. Keep this information away and let’s talk about register function and JWT token.

In register function we must register with phone number , wait a minute…, I said in reset password we can use email too, but where we confirm our email address? here is honey moon :)

By the way, I said JWT token? all of us know that in body of JWT we access some information of our accounts, I always check JWT body and try to remember all of information for other attack. So, what do we have in body? some regular information such as name and phone number and one of the important parameters was “Sub: 123”.

I think it’s enough for start , Let’s play this game…

Ok everyone , i register in site with phone number; when i submit my email address , show me a pop up to say “click the link sent your email to confirm”

Link: Site.com/YXJlIHlvdSBraWRkaW5nIG1l8J+kqA==/d2hhdCBleGFjdGx5IHlvdSB3YW50Pz8/b2ggbWFuIGFyZSB5b3Uga2lkZGluZyBtZT8=

Oh man , it’s base64 encoded :)) let’s try to decode one by one:

  1. YXJlIHlvdSBraWRkaW5nIG1l8J+kqA== -> i can’t decode this part clearly , i guess it’s token

Wait. What ??😐😐😐 Token + email addresses + a number ???

where i saw this number? i guess the number is for detecting my account. Exactly, in my JWT token , i have a parameter(“Sub”: 123) with the same number.

I immediately create a new account as victim and i notice that the number of “Sub” grow one by one even create a new account.

Step By Step to Takeover:

  1. Create attacker account (“Sub”:123) and Victim account (“Sub”:124)

It’s a piece of cake

I Hope this write up was Helpful for you. Have Good Day

YouTube

Instagram

Twitter

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store