Account Takeover via Password Reset (Disclosed Tokens)

Account takeover (ATO) vulnerabilities occur when an attacker gains unauthorized access to a user's account. One common vector for ATO vulnerabilities is through the password reset functionality. In this article, we will explore how vulnerabilities can arise in this process and what measures can be taken to prevent them.

When performing a penetration test, it’s important to thoroughly test the password reset feature to ensure it doesn’t inadvertently expose sensitive information. In some cases, the reset process may reveal details that an attacker could exploit.

Testing Process

Take for instance a website called app.website.com. The password reset logic is as follows:

1. Submit a valid email

2. A password reset link is sent to that email address

3. Click on the link to reset the password

When you go through the process normally and try to reset your password, you get a mail with this password reset link: https://app.website.com/resetpassword?uuid=abcdefghij12345&token=qwertyuiop67890

But let's take a look at what happens as you proxy your requests through Burp (or any other interception tool).

When you submit the email address to reset the password, an API request is sent with an email parameter.

{"email": "youremail@gmail.com"}

The application responds with this:

{
    "message":"Password reset link has been sent to the email address",
    "data":{
        "uuid":"abcdefghij12345",
        "passwordResetToken":"qwertyuiop67890"
            }
{

This is interesting because the user id and password token match the one in the URL sent to your mail (https://app.website.com/resetpassword?uuid=abcdefghij12345&token=qwertyuiop67890).

So watch what happens when you try to reset another user's password.

{"email": "victim@gmail.com"}

The application responds with two new tokens:

{
    "message":"Password reset link has been sent to the email address",
    "data":{
        "uuid":"zxcvbn01928374",
        "passwordResetToken":"plmqazoknwsx57483920"
            }
{

So what does this mean?

It means that the application discloses the two parameters necessary to reset a password. With just a valid email address of the target, an attacker can intercept the password reset request, craft a malicious reset link, and gain unauthorized access to the user's account, effectively leading to an account takeover.

How Developers Can Prevent This

To mitigate this risk, developers should ensure that reset tokens are handled securely and that no sensitive information is ever exposed in API responses. It’s crucial not to assume that your application will only be used securely. Instead, write secure code that doesn’t reveal anything that could be exploited by an attacker.