Unauthorized Email Address Change Blocks User Account Access | POC |
Вставка
- Опубліковано 19 вер 2024
- A critical security vulnerability has been identified on the Compass website, which allows an attacker to block a legitimate user from creating an account, signing in, or resetting their password. This vulnerability arises from a breakdown in business logic, where the attacker can manipulate the system to prevent legitimate user profile creation, rendering the user unable to access their account.
Steps To Reproduce:
Prerequisites:
- An attacker must have an active account on Compass.
- Knowledge of a legitimate user's email address.
#### Exploitation Steps:
1. *Attacker Updates Victim's Email Address:*
1. The attacker utilizes an API endpoint to update a victim's email address to their own using the victim's known email address.
2. The API endpoint used for this purpose is "PUT /api/v3/people/6525eb8efceaf70001177125."
2. *Attacker Attempts to Create Victim's Account:*
1. The attacker initiates an account creation process using the victim's email address, which was previously updated in step 1.
2. The Compass system fails to create the user's profile, as it detects a conflicting email address in use.
3. *Attacker Reverts Their Own Email Address:*
1. To avoid locking themselves out, the attacker restores their own email address using a similar API request as in step 1, with their own email address.
##POC Code
gist.github.co...
Recommendation:
To address this critical security vulnerability, we recommend the following actions:
- Strengthen business logic to ensure that user profiles are created only for successfully registered users.
- Implement stronger email address validation and authorization checks when updating email addresses.
- Add additional security layers for account creation and password reset processes.
- Implement mechanisms to prevent attackers from changing legitimate users' email addresses.
- Provide proper monitoring and alerting systems for suspicious activities on user accounts.
Supporting Material/References:
{F2763943}
Impact
As a result of this vulnerability, the following impacts are observed:
- *Blocking Victim's Account:* The victim is effectively locked out of their own account, as their email address is changed, and the attacker deliberately prevents the creation of their user profile.
- *Inability to Create an Account:* The legitimate user cannot create a new account using their own email address, as the system recognizes the email as already in use.
- *Preventing Sign-In:* The legitimate user cannot sign in with their credentials because their user profile was not successfully created.
- *Disabling Password Reset:* Even if the victim attempts to reset their password, it won't work as their email address is not associated with a valid user profile.
Timeline:
2023-10-11 : @socialcodia (bug informative)
Hey @mufazmi ,
Thank you for your report!
After review, there doesn’t seem to be any significant security risk and/or security impact as a result of the behavior you are describing.
As a result, we will be closing this report as informative. If you are able to leverage this into a practical exploitation scenario, we will be happy to reevaluate this report.
This will not have any impact on your Signal or Reputation score. We appreciate your effort and look forward to seeing more reports from you in the future.
Kind regards,
@socialcodia
I'm Umair Farooqui, a passionate software engineer and security researcher dedicated to uncovering vulnerabilities in systems worldwide. With a strong background in ethical hacking, I delve into the intricacies of cybersecurity to safeguard digital infrastructures.
🌐 Connect with Me:
- GitHub: github.com/muf...
- Instagram: / mufazmi
- Twitter: / mufazmi
- HackerOne: hackerone.com/...
- Bugcrowd: bugcrowd.com/m...
- Google Search: www.google.com...
- Google Search: www.google.com...
📱 Contact Me:
- WhatsApp: +91 9867503256
Note: All content shared on this channel is for educational purposes only.
🔗 Hashtags:
#mufazmi #umairfarooqui #ethicalhacking #cybersecurity #infosec #bugbounty #securityresearch #hacker #bughunter #websecurity #pentesting #vulnerability #exploit #securityawareness #tech #coding #opensource #privacy #datasecurity #cybercrime #networksecurity #cyberattack #digitalforensics #blockchainsecurity #iotsecurity #appsec #cloudsecurity #redteam #blueteam #hackerinmumbra #mumbra #mumbrahacker #hackerkausa #mumbrahacker #itpm #hackerinsaraimeer #saraimeerhacker #saraimeer
Join me in exploring the world of cybersecurity, one vulnerability at a time! Let's secure the digital landscape together. 💻🛡️
![[Bug Bounty POC] | Email-Verification Bypass | Phemex | FireShark](/img/n.gif)
does the python script only work when the email has already used in the application?
@@ayushmanngupta7027 yeah. You are right, actually I wrote the script for POC to automate the things
valid? or duplicate?? brother
Bro, as there is no security impact they have marked it as informative.
all the details are mention in the description. also the py code.
there may be some security impact, just try to find out it.