Account Takeover — Story of 2 same issues in a single program but different sub-domains.

Here’s My Story :-

Past Finding :-

About 1 years ago, at this exact same time I found straightforward security issue related to account takeover.The scope was very limited. Only 3 subdomains.

  1. During sign up process on app.target.com , the system was not checking whether the email is owned by user or not.
  2. Also the application was not verifying whether the email id is already in server or not.
  3. So I was able to sign up with any email id and takeover any user account.

I though let’s take it to something more severe, so I tested support@target.com and viola I was able to takeover it and able to view all projects.

So I reported it to them through HackerOne and they patched It by implementing verification whether the email is already registered in server or not.They rewarded me with 3 digit bounty — i expected 4 digit … LOL.

  • They fixed it by verifying whether the email is already registered or not, but didn’t implemented whether the user is owner of the email or not.
  • That means no verification on sign up process.

After 1 Year, [September — 2021] story continues.

  • I immediately reported to them.
  • They didn’t had these subdomains in their scope list, but because it is a high impact issue they accepted it.
  • I didn’t found these subdomain through scanner like findomain, sublist3r, etc. It was manual one. These subdomains were not on the google.

What I Learned from this :-

Don’t rely on scanner to find you interesting subdomain, poke around their web application as well as android application. You may find some interesting domains to test. Always try to increase your attack area.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store