How We “Forced” Our Client To Fix A Low Severity Security Bug And Still Got Appreciated!

From our experience, we knew low severity issue like this could be chained into an interesting attack chain and need to be fixed. Its our responsibility to provide client with necessary input to make them understand the possibility of a major flaw, after all, there is a reason why client made the “accountId” non-enumerable.

We Took The Challenge

Proof Of Concept

  1. Get victims “accountId” from order details endpoint using victim's email.
  2. Use the “accountId” for changing victim's email to attacker's controlled email address through email change endpoint.
  3. Since there isn’t any email change confirmation required on this endpoint, the attacker can use the password reset functionality and get the link on his email address.
  4. Use the password reset link to change the password and take over the victim's account without his interaction or knowledge.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Rohan Aggarwal

Rohan Aggarwal

Founder and CEO at DefCore Security(https://defcore.io) | Found vulns in Yahoo, Twitter, Apple, etc | AppSec | BugBounty | Speaker