How I Discovered an Account Take Over Vulnerability!
Introduction
Hello hackers, this is Gowtham here an Ethical Hacker and Penetration Tester who loves to investigate loopholes😅. This is my first blog out here on Internet, So Kindly forgive me if there are any mistakes. So today, I am going to tell you “How I can take over any user account of India’s popular and biggest college within 3mins”. Without any delay, let’s start our journey of learning.
Sensitive Data Exposure AKA Information Disclosures
This college is having two domains namely “example.com” where students can participate in exams and check their results, so this is not having many functionalities. The other domain is “target.com” which is the main domain where it had many great functionalities like Payment System, Creation of Student ID’s, and whole students’ data along with their credit cards, and much more.
So usually, everyone will start with a domain which is having many functionalities and even I did the same😁, but I can’t be able to login into this domain because I am not having the credentials to do so. Then I switched to the next domain (example.com) and started looking into JavaScript files and capturing all the requests and looking into their responses. There I see something crispy in Forgot Password, where the request looks like this
Here I supplied my admission number, and then while I am seeing the Response, The Registered Mobile Number is being disclosed. You may think about what’s wrong here but even If I give another user an admission number, I can be able to get his/her mobile number. Now the website asks us to enter the Mobile Number to send the OTP to Reset the Password.
Broken Access Control AKA Account Takeover
So, when I enter some wrong number other than the Registered Number, it’s popping up a Message to Enter the Register Number. It means It’s only validating the Phone Number on the Client-Side So at this moment I entered the Registered Mobile Number of some other user which we found out earlier. Hurray!!!, It’s successfully Bypassed, Now I can tamper the mobile number field to my number so that I can get OTP instead of going to the Registered mobile number.
When I enter the Registered Mobile Number and change the Phone Number value to mine. Yes, we did it. Now we got the OTP of the User and we entered it, Now I can be able to reset the password of any user without knowing him/her. This leads to account takeover of anyone on the 2nd domain.
” I immediately reported this bug to the domain administrator and got appreciated along with the Bounty of 500$”.
Final Touch
This is where our story should usually end, but not in our case.
In my next blog, I am going to tell you I used these vulnerabilities to bypass the Payment system and be able to pay every student for only 1$. That will be most interesting and helpful to newcomers and others too.
Thanks for spending your valuable time. Meet you in my 2nd blog very soon.
Regards,
Gowtham Naidu Ponnana