Welcome, Hacker.
Join the community to take advantage of all its opportunities
Sign up

Method Account theft with password reset




Aug 3, 2019
Hey. This article is about how an interesting vulnerability was found in a mobile wallet application owned by one Indian company.

Authentication is the basis of security of any system, which consists in verifying the authenticity of user data by the server. It consists of 3 stages: identification (recognition of user information, for example, login and password), authentication (verification of user information), authorization (verification of user rights and accessibility is determined).

In case authentication failed, we have the opportunity to restore access to the account. One of these features is password recovery by email number. In the process of research, on the found service, an error was found in the logic of this function, which allowed to take over another person’s account, knowing only his email address.

How to do it?
For testing, an account was registered on the service by email [email protected]. When the user clicks on "Reset password", an email arrives with the following contents:

To reset your password, follow the link:


It is not difficult to guess that the parameter "id" indicates the number of the registered account, and the parameters "token" and "vit" are some values encoded using BASE64. Check the assumptions:

BASE64 DECODE YWNjdGVzdDk5OUBnbWFpbC5jb20 = this is [email protected]

BASE64 DECODE MjAxNi8xMC8yNQ == this is 2019/08/10


Pentest date is 2019/08/08. Surely, "vit" is the time of the "life" of the link. That is, the user has exactly two days in order to use it, otherwise it will cease to be valid.

Attempt at writing. The data for recovery turned out to be straightforward, so it's time to apply the experience in combat conditions. A bit of surfing the site, Email was found - [email protected], which must be registered on the service. Using the password recovery form, send a link to the mail.

Since we don't have access to it, we form the link ourselves:

BASE64 ENCODE [email protected] is MmNocjk5QGdtYWlsLmNvbQ ==

"vit" old - MjAxNi8xMC8yNQ ==

It is impossible to predict the ID, but you can use bruteforce (the site did not have an IP ban and the number of possible recovery attempts). Using Burp Suite, we send requests sequentially

http://www._____.com/account/resetpassword?id= <iteration number> & token = MmNocjk5QGdtYWlsLmNvbQ == & vit = MjAxNi8xMC8yNQ ==

and rely on the page size that comes in the response. After a couple of minutes, we get a different result than the others, open


and take over the account by changing the password.
  • Like
Reactions: [email protected]

Members, viewing this thread

No members online now.