Lucene search

K
huntrLengochoa71120000F35B1D3-56E6-49E4-BC5A-830F52E094B3
HistoryJun 06, 2022 - 5:48 p.m.

Incorrect use of privileged APIs to steal victim's account

2022-06-0617:48:35
lengochoa7112000
www.huntr.dev
15

0.002 Low

EPSS

Percentile

57.2%

Description

When user can edit their profile –> Incorrect use of privileged APIs to steal victim’s account

Proof of Concept


1. Login with hacker's account, get the request when edit profile
2. Replace the endpoint and email with victim's one
3. Send the request.
POC video:
https://drive.google.com/file/d/1fhauDTJ0sbDSMoAuRydHE-60wC8XE_ic/view?usp=sharing

0.002 Low

EPSS

Percentile

57.2%

Related for 0F35B1D3-56E6-49E4-BC5A-830F52E094B3