Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
hackeroneNaateghH1:806055
HistoryFeb 27, 2020 - 8:10 a.m.

X (Formerly Twitter): Reset password without knowing current password

2020-02-2708:10:11
naategh
hackerone.com
284
JSON

Description

Hi team,
I found an interesting flaw in your password recovery mechanism that can get the ability of reset password without a valid token and knowing current password. I’m going to explain it here:
In https://www.twitterflightschool.com/ domain if you try to reset your password from https://www.twitterflightschool.com/student/authentication/request_password_reset you’ll get a reset password link in your email that is like:
https://www.twitterflightschool.com/student/authentication/reset_password/<TOKEN>
If you logged in to your account your application doesn’t validate token at all, Actually for reset password, we don’t need a token! and just via https://www.twitterflightschool.com/student/authentication/reset_password/ link, we can reset our password!

In this domain, On the profile page, for changing the password you should enter the current password first but using this issue it’s possible to bypass this and update the password without knowing the current password.
Note: For abusing this issue an attacker first need to hijack victim’s session because while you using https://www.twitterflightschool.com/student/authentication/reset_password/ to change password it changes current user password, So attack scenario is limited to when an attacker successfully hijacked a victim session and hi want to update password (but he don’t know current password), Hi use this issue to bypass Change Password in profile section and update password without knowing the current password.

PoC

With the assumption that the victim’s twitter session is ‘hijacked’ and in a ‘logged in’ state for the hacker. The below steps must be followed In order to reproduce the security vulnerability.

Fix

For fixing this simply you can reject requests to /student/authentication/reset_password/ endpoint without a valid token even while user logged in.

Impact

An attacker after hijacking a victim session can abuse this to update the password while he doesn’t know the current password, By changing the password he can block user access to his account.

Best regards,
@Naategh

JSON