Press enter or click to view image in full size
Hi everyone, in this article, I’ll walk you guys through a small bypass I found that helped me bypass the security questions altogether and change the user’s password.
Note: Apologies for the lack of screenshots. I do not have the permissions to post them.
Before going the through the vulnerability, I’ll walk you through the high level diagram and the issue.
Application overview
The reset/forgot password module allows users to change their password. If a user has security questions set on their account, they will have to answer all the three security questions that they had set before the application allows them to change the password.
However, if the user hadn’t set up the security questions, they could directly change their password through the password change link that they had received on their email client.
Press enter or click to view image in full size
When a user clicks the reset/forgot password link, a POST request is sent to the /api/resetpassword endpoint. An email is received on the user’s email client which contains a unique link. The link contains a token parameter which allows…