Hi folks, this is the second write-up about finding bugs on Chess.com. You can find the first one here.
Chess.com is the most famous website for playing & learning chess.

You can log in to the site by two parameters, the first one is your email and the second one is your username. This story learn us to check all features and look for anomalies on each feature.
I’ve found that if you change your password, it changes just for one parameter (email) and after changing the password you can’t log in by your username and new password. In fact, the changes apply just to email and new password changes after 10 minutes on the username. So if your password leaks and you change your password, someone who has your password can log in after changing your password by username and old password. The process of update query for changing the password is like the following image:

After sending this bug to Chess.com, they said this delay was for replication and was temporary. I checked it tomorrow and the bug existed!
Finally, the report scored at 3.5 based on CVSS

In more investigating, I find that after 10 minutes session won’t expire! Checked the change password form and there wasn’t any rate limit! BOOM!!!

By using burp intruder ran a brute force attack and found the new password. I escalated the bug to full account takeover.

The report scored at 4.4 based on CVSS and they increased bounty to $400.

You can find me on Twitter by the following link:

https://twitter.com/seqrity9