It started off like any other day until I got an unexpected email — an invite to a private bug bounty program. Curious, I jumped in. The target? A website we’ll call redacted.com.

I began testing the usual stuff — login pages, account settings, and then the “Forgot Password” feature. At first, everything seemed normal: enter your email, get a reset link. But as I dug deeper, I found something strange. There was a flaw that could let an attacker take over someone else’s account using the password reset feature.

It wasn’t obvious — pretty well-hidden, actually — but if exploited, it could allow someone to completely lock out a victim and take control of their account. Serious stuff.

Vulnerability Explanation:

Let’s break it down step by step:

1. Setup: I have two accounts: one for the attacker ([email protected]) and one for the victim ([email protected]).
2. Initial Request: The attacker initiates a "Forgot Password" request using their own email ([email protected]).
3. Password Reset Link: A password reset link is sent to the attacker's email. The attacker clicks the link, leading to the page where they can set a new password.
4. Intercepting the Request: Using Burp Suite, the attacker fills in the new…