Hello Hackers,
Let’s read some Cybersecurity blogs…
Today, we will learn about a very interesting vulnerability from the “Email-Change“ and “Forgot-Password” Feature which states the web application is vulnerable to “Broken-Authentication“…
When I was Bug hunting over the most popular song app “Spotify“, I came across an Email-changing feature, so tried to do some weird tricks.
Vulnerability Reproduction Steps:
- Let’s suppose there are two email IDs “email1@wearehackerone.com“ and “email2@wearehackerone.com“.
- Request for forgot password link from “email1@wearehackerone.com“, and do not use this link.
- The second part of exploiting this vulnerability is to change the email from an account(like email1@wearehackerone.com —-> email2@wearehackerone.com).
- Now the account is linked with “email2@wearehackerone.com“.
- Now use the “Forgot password“ link of email1@wearehackerone.com which was previously sent.
- Once you have changed the password for the account(Now technically the password should not be changed as email is changed).
- Now use “email2@wearehackerone.com“ and “Reset Password“….. Surprisingly you will be logged in…
Scenario:
- Suppose my email account is compromised, The attacker asks for a password reset link for my Spotify account.
- Once I got to know, I change my email address on my Spotify account.
- But the attacker can still reset my password using the reset link.
I reported this to “Spotify” but they marked it as “Not applicable“, So I decided to disclose this report…
Video POC:
That’s all for the day guys…
Happy Hacking!!
