Account Takeover — Story of 2 same issues in a single program but different sub-domains.

Here’s My Story :-

Past Finding :-

  1. During sign up process on app.target.com , the system was not checking whether the email is owned by user or not.
  2. Also the application was not verifying whether the email id is already in server or not.
  3. So I was able to sign up with any email id and takeover any user account.

I though let’s take it to something more severe, so I tested support@target.com and viola I was able to takeover it and able to view all projects.

  • They fixed it by verifying whether the email is already registered or not, but didn’t implemented whether the user is owner of the email or not.
  • That means no verification on sign up process.

After 1 Year, [September — 2021] story continues.

  • I immediately reported to them.
  • They didn’t had these subdomains in their scope list, but because it is a high impact issue they accepted it.
  • I didn’t found these subdomain through scanner like findomain, sublist3r, etc. It was manual one. These subdomains were not on the google.

What I Learned from this :-

--

--

--

Security Ananlyst.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

RAILGUN Privacy Beta Testers’ Guide

How do Email Headers help verify an email’s authenticity and The Future of DMARC

Using T-Pot to detect an exploit against the F5 BIG-IP vulnerability (CVE -2022–1388)

This is the admin page for T-Pot

InsurAce’s 2020 Review & 2021 Preview: Salute to our Bright Future

Check out my new NFT on OpenSea!

{UPDATE} Design Island! Hack Free Resources Generator

Artifacts to agree upon should include SLAs, EULAs, and ToS in most Information Technology…

Thank you to Adrien-Marie Legendre for his symbol

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
himanshu pdy

himanshu pdy

Security Ananlyst.

More from Medium

Hashing the Favicon.ico

Adding customers to victim’s store via Insecure Direct Object Reference

Intigriti’s January 0122 XSS challenge Write Up

Tweet by @Intigriti

Story of Instagram open redirect.🤔