Hi everyone,
I am Aditya Shende (Kong) from India. A bounty hunter , biker and researcher. I know title of story is pretty weird but finding and logic behind it is really awesome(I feel), Without wasting time I will start arrow about my finding .
A proper and more functional target which I like most while hunting. Can’t disclose a name of it, Yeah its private one . Lets call it as site.com (sab yahi dalte he). Whenever I used to check any application I see virtual exploits in mind so thinking is it may happen , it may be vulnerable so on. Point is why no to try, I did it.
While checking application I found there is no verification for account creation so just create account and go login page to access your account. Yes , This is how I used to check function as normal user. For extra privileged account I visit hunter.io to see company employee emails and tried to create account using that email = No success, Another stuff I tried — Tried account creation using aditya@gmail.com@site.com = No success .
So I started again on register form that we know it is buggy for email-ID enumeration . So what ?? Its P5.
So Email Enumeration is valid no matter what priority (P5).
I created account with aditya+1337@gmail.com (xD) because aditya@gmail.com was already created . I got mail on aditya@gmail.com which was showing email Id , Password for login and phone number for that aditya+1337@gmail.com. Ahh weird !!! Common bruhhhh, alias as usual.
So I have access over aditya@gmail.com but for registration I can’t force user to create account with +anynumberhere . Example : aditya+70@gmail.com. So I again log in into aditya+1337@gmail.com and updated my phone number and again I got mail on aditya@gmail.com — “Your phone number is updated to +91 XXXXXXXXX”. So function is whatever we update in account it was giving all updates on email.
Here I chaged game . I accessed my account aditya@gmail.com on site.com and changed my email ID to aditya+1337@gmail.com, As usual got mail on aditya@gmail.com that your updated mail ID is aditya+1337@gmail.com (It must say “already in use”). So point is aditya+1337@gmail.com is able to login with 2 passwords. Because one is mine(attacker ) another one is victim . So I tried luckily it was working on both passwords.
So what’s impact here ?? When victim user update any information like email -ID , Phone number and other functions it will send update email on my gmail account. IDK when user will update his/her information so its BLIND. So all over world the users of site.com are 78k+ , And yessss they all are buggy, Whatever they will update , Hacker will get information which priority is P1 because data contain username , password, phone number, email-ID, Address etc.
Steps to reproduce:
- Enumerate email ID’s from register function (victim@gmail.com)
- Create account of yours (hacker@gmail.com) which you have access on gmail
- Login to site.com with hacker@gmail.com and update your email to victim@gmail.com
- You can say ATO also(hahahhaaha), malfunctioning part is its update everything to main email.
- Passwords on site.com for hacker and victim are qazwsx and qwerty respectively .
- Victim can log in using qwerty and qazwsx also (Misconfiguration)
Threat: Using register form hacker enumerate emails and hacker can perform specific attack to gain sensitive information as in whenever victim updates any information in account it send email which contains sensitive information.
Email verification is important | Check user exist or not | Give privileges to user that he can enable/disable notifications over mail
Yes its my 1st article
That's all from my side, If I made any mistakes , Let it be. I hope you learned something new.
Jai Hind
