Weird functionality leads to Account Takeover (Millions of Users affected)

Hey Everyone,

Summary:

Recently, I discovered an Authentication Bypass that can lead to a complete Account Takeover. This write-up will explain how I figured & exploited that issue. So Let’s get started.

Scenario:

Phase 1 (Figured Vulnerability):

Android-App:

While testing on Android App, I created an account with <redacted>@gmail.com & after account creation, I logged into my account & a pricing page popped up in which all the features are described. So to get full feature access. I have to pay for it. (Account was too Expensive)

Web-App:

I follow the same steps for account creation on their web portal. But, after filling in all the details, I landed on a pricing page that’s weird for me. But in the android app, I was able to create an account without paying. But on the Web portal. I have to pay first to create an account.

Note:

Ah, The functionality is too weird for me. Because in the android app (I can create an account & then the pricing page pops up).

But in a web application, things are a little weird (the pricing page pops up after filling in all the details)

Phase 2 (Exploiting Vulnerability):

Let’s try to exploit this weird functionality. So, I try again to create an account on the web portal with the same email address that I used in the android app. But with the different details Like (First Name, Last Name & Password). Later, I noticed that the same details reflect in an android app.

So, these are few cases that I used to exploit this vulnerability:

Case 1: (web portal)

First, I tried to create an account on a web portal with the same email address that I used in an android app for account creation but with a different First Name & Last Name.

Result 1: (android app)

The following details that I used in the web portal are reflected in my android app. (An unauthorized actor can change the first name & last name).

Changing First Name & Last Name

After that, I go for a password change or set up a new password.

Case 2: (web portal)

Then, I again create an account on the web portal with the same email address but with a different password.

Result 2: (android app)

I found logged out from my account & when I use the same password that I used in the web portal. So, that password worked & logged in to my account in the android app. (A proper Unauthorized actor can takeover any account).

Steps to Reproduce:

  1. Open your android app & signup.
  2. After account creation. (skip the price section)
  3. Now, go to the web portal “https://www3.redacted.com/account".
  4. Fill in the same email address but with different details (First Name, Last Name & Password).
  5. Click on the Next button & after that pricing page popped up. (skip that section too)
  6. Now, Go to Android App & Enter the victim’s email & use that password that you fill on the web portal during account creation.
  7. You noticed that the Victim’s Account Compromised.

Timeline:

Bounty

Oct 20, 2020 — Reported to a private program
Oct 20, 2020 — Report Triaged
Oct 22, 2020 — Vulnerability Fixed
Oct 28, 2020 — Bounty of $4000 USD awarded

Special thanks to sechunt3r ( Bad Bro 🤑 )

--

--

--

Bug Hunter | Programmer

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Bridge Mutual x OptionRoom: Integrating Technologies

{UPDATE} 萌寵對對碰:考驗記憶力的翻牌遊戲 Hack Free Resources Generator

Bit Scrubber — USB Sanitization Kiosk

Prominent changes in the trajectory of the Cyber-security space Part 1

5 Low Tech Hacking Techniques you Should be Watching out For

So You Want to Get Into Cybersecurity This Year? Here’s What You Should Learn.

What is the Role of Logistics in fighting Counterfeiting?

TryHackME — NAX- walkthrough

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Sahil Mehra

Sahil Mehra

Bug Hunter | Programmer

More from Medium

Timing-Based Username Enumeration: What’s a fix versus mitigation?

DIVA application walkthrough

Story of YouTube’s Unfixable Ads Bypass

HTB Devzat