Blind Information Disclosure due to heavy misconfiguration

Evil hack Kong
Phone number and password is fake,xD
  1. Enumerate email ID’s from register function (victim@gmail.com)
  2. Create account of yours (hacker@gmail.com) which you have access on gmail
  3. Login to site.com with hacker@gmail.com and update your email to victim@gmail.com
  4. You can say ATO also(hahahhaaha), malfunctioning part is its update everything to main email.
  5. Passwords on site.com for hacker and victim are qazwsx and qwerty respectively .
  6. Victim can log in using qwerty and qazwsx also (Misconfiguration)

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Aditya Shende

Aditya Shende

#kongsec | Solo Bounty Hunter | Function Exploits and Report Crafting | Bikes | Not a XSS guy | Own views | Bugcrowd Top 100 l Top 10 P1 warriors | Biker