Account Takeover using Update Password functionality + Weak Password Policy

In this blog, I will show you how Update Password Functionality can turn into Account Takeover.

Yes, as easy as it sounds. I have reported this issue on a website which was not having a bug bounty platform (not recommended unless you have permission to test).

Proof of Concept:-

  1. Let’s take a website (example.com) -> Sign-up -> Go to your Profile Settings-> Go to Update Password.

Users can update their password without entering the old password as shown in the given screenshot.

2. Update your password and Intercept the request using any proxy tool.

Due to a weak password policy, I was able to update the password to a single-digit password.

3. Go to the Request Again, you will find an user_id parameter that is used to update the password of that user.

The first thought that will come to your mind is to change the value of the parameter and check the response. (Do the same)

We have successfully updated the password of any random user by just changing the user_id parameter.

In the response, you can find the email id of the user for which we have updated the password. You can use the email id to check if the password is working or not.

Successfully Logged In!

You can use Burp Suite to automate the attack and change the passwords of all the users registered. (Not Recommended)

This bug was ethically reported and successfully patched.

Thanks for Reading!

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store