Account Takeover: How I Gained Access to Any User Account Through a Simple Registration Flaw
Hi, I’m Amr Kadry, a penetration tester and bug hunter recognized by over 45 companies, including Mozilla, CrowdStrike, Canva, and Vimeo. Today, I’m excited to share a unique scenario I encountered while testing an application’s security in an External Program. This vulnerability allowed me to bypass email verification and takeover any user or employee account through a flaw in the registration process.
In this write-up, I’ll walk you through the step-by-step process that led to this discovery, exploring the website’s flow and uncovering how each overlooked detail contributed to a significant security vulnerability. We’ll dissect the exact methods used to bypass email verification, take over accounts, and ultimately reveal the risks that can arise.
That company provides tools for companies and organizations to build, manage, and engage online communities around their products.
Deep Dive into the Registration Flow:
First, I wanted to dive deeper into the registration flow and understand how the developers built it. So, I signed up for a 14-day free trial to create community.
During the process, I discovered that in order to complete my account setup and create a community, I needed to enter an OTP sent to my email.
That’s pretty cool, but I had a few tricks up my sleeve to bypass the email verification during community creation. So, I decided to test it by signing up with a fake email address using the company’s domain, like moraa3@company.com.
And just like that, I bypassed the verification, and the system redirected me to complete the community setup.
A nice little bug was hiding there, but now it’s time for some serious digging!
Now that I’ve successfully registered with my first email, attabombo5@gmail.com, it’s time to see if I can take it over. :))
First, I tried to overwrite the email by using another one, moraa3@company.com, with a slight variation like attabombo5@gmail.coM. But, as I expected, that attempt failed.
However, there’s another simple scenario to overwrite the account — by signing up with the same victim email, attabombo5@gmail.com, but with a slight variation, like attabombo5@gmail.coM. Let’s see what happens next!
So, let’s Sign up with attabombo5@gmail.coM
LOL… it didn’t even tell me “The email already exists.” Instead, it just prompted me for the OTP!
Next, let’s try using my fake employee email, moraa3@company.coM, with a slight variation to see if it bypasses the OTP prompt, just like the first time. (It will be great!)
But nope, they surprised me and asked for the OTP here as well.
So, I decided to see if I could bypass this page somehow.
After a few moments, I realized there was no rate limiting in place.
And here’s another surprise: when I checked the OTP sent to my test account, attabombo5@gmail.com, I discovered that there was no expiry date for the OTP either.
After bypassing the OTP, I was able to easily take over any user or employee account without any issues.
conclusion:
In conclusion, this vulnerability demonstrated how a simple flaw in the registration flow could lead to an easy Account Takeover (ATO) exploit. By bypassing email verification and exploiting issues like the lack of rate limiting and OTP expiration, I was able to easily take control of any user or employee account. I also discovered that by slightly altering the email address, such as using a variation like attabombo5@gmail.coM or moraa3@company.coM, I could overwrite an existing account and bypass the verification process entirely. This allowed me to successfully take over the account without facing any significant obstacles. This highlights how even minor oversights in the registration process can lead to major security risks.
I hope you found this write-up beneficial and insightful. I’m always striving to improve my future write-ups and make them even more informative. Feel free to connect with me on LinkedIn or reach out on my X account if you have any questions or need assistance. Looking forward to engaging with you!
LinkedIn: Amr Kadry
X: 0d_3mrr