Weak authentication and session management
Title: Weak authentication and session management
Scope: None
Weakness: Improper Access Control - Generic
Severity: High
Link: https://hackerone.com/reports/311536
Date: 2018-02-02 04:46:14 +0000
By: @newatia123
NOTE! Thanks for submitting a report! Please replace all the [square] sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report!
Summary: [Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users identities. Account credentials and sessions tokens are often not properly protected.
- A third party can access to anyone's account
- Attacker compromise password, keys or authentication token]
Description: The risk of this vulnerability are: Undermined authorization and accountability controls Cause privacy violation Identity Theft
Steps To Reproduce:
(Add details for how we can reproduce the issue)
-
I have just created and log in from email-id ( dude@kumail8.info)
-
go to account settings.
-
Request for email change and entered new email address i.e (cozehizot@send22u.info)
-
verification email has ben sent on the new email address.
-
Before confirming the email-id , i just sent the reset password from my legitimate account (dude@kumail8.info)
-
i had confirm from the email address (cozehizot@send22u.info). {as you can see in video}.
-
Now my email id is (cozehizot@send22u.info).
-
I got the reset password mail on dude@kumail8.info but technically there is no email id exist because it is replaced.so authentication token or user session of reset password should be expired.
-
But You can see in video we will use our reset password link sent on (dude@kumail8.info) and it will work and able to change the password of new email id (cozehizot@send22u.info).
-
and got the confirmation mail of password change on legitimate email id (cozehizot@send22u.info) even though i dont use the reset link from this email address.
Done.
Supporting Material/References:
video : https://ufile.io/xif67 text : https://ufile.io/rh08j
Impact
The attacker achieves :
1)Brute Force 2)Replay Attack 3)Session Fixation Attack 4)Session Hijacking 5)Session timeout