Let’s read some Cybersecurity blogs…
Today, we will learn about a very interesting vulnerability from the “Email-Change“ and “Forgot-Password” Feature which states the web application is vulnerable to “Broken-Authentication“…
When I was Bug hunting over the most popular song app “Spotify“, I came across an Email-changing feature, so tried to do some weird tricks.
Vulnerability Reproduction Steps:
- Let’s suppose there are two email IDs “firstname.lastname@example.org“ and “email@example.com“.
- Request for forgot password link from “firstname.lastname@example.org“, and do not use this link.
- The second part of exploiting this vulnerability is to change the email from an account(like email@example.com —-> firstname.lastname@example.org).
- Now the account is linked with “email@example.com“.
- Now use the “Forgot password“ link of firstname.lastname@example.org which was previously sent.
- Once you have changed the password for the account(Now technically the password should not be changed as email is changed).
- Now use “email@example.com“ and “Reset Password“….. Surprisingly you will be logged in…
- Suppose my email account is compromised, The attacker asks for a password reset link for my Spotify account.
- Once I got to know, I change my email address on my Spotify account.
- But the attacker can still reset my password using the reset link.
I reported this to “Spotify” but they marked it as “Not applicable“, So I decided to disclose this report…
That’s all for the day guys…