0-Click ATO Due to Weak Reset Password Tokens and Lack of Rate Limiting
In our latest cybersecurity research, we discovered a significant vulnerability in the password reset functionality of a well-known corporation’s private bug bounty program on HackerOne. The flaw lies in the reset password token generation, which uses a weak algorithm making it susceptible to brute-force attacks. Our journey from discovery to proof of concept highlights the need for robust security measures to protect user accounts.
Steps to Reproduce
- Initiate a Password Reset:
— Request a password reset for target accounts to observe the structure of the reset password token. Identify the fixed and variable parts of the token.
2. Brute-Force the Token:
— Use Burp Suite to brute-force the reset token. Capture the password reset request and identify the token parameter.
— Manually set the first three digits to `001` and fuzz the remaining characters to generate numerous token combinations rapidly.
— We sent more than8,000 requests to successfully brute-force the token and reset the password for the target account.
For the full version of this writeup, please visit [Unlocking the Weak Spot: Exploiting Insecure Password Reset Tokens].
