Always finish with a sweet Bug
Hello, friends today I will tell you how I was able to find a critical vulnerability during an internal assessment.
It was my last day at the office, after one year in this company as a pentester, now its time to move for another adventure.
I was chilling since I’ve already done my missions, but one of the developers asked me if I can do a quick pentest against the new API they are developing!
Euuh! We never say no to a hacking request, let’s take out the big Katana and start the work.
So It was an OpenAPI with many endpoints, but I tried to focus only on the authentication ones.
The developer also told me that there’s a special behaviour about the registration endpoint :
So when someone create a new account, the account get stored in the database but as a Pending account, till he activate it, the user need to give an Email, Phone number and other informations…
If the user made a mistake while creating his account, he can simply create a new one with the same Email or the same Phone number then he will overwrite the first wrong account!
What a weird behaviour!
So from what I understood, If a user creates a new account he can overwrite it if the phone number or the Email is the same and also the account is not activated yet!
Looks normal, since the way the overwrite the account is only pending and it accepts only the same email and number, so it’s secure (or maybe not).
This account can be replaced
Account1 = email@example.com | 0611223344 | Eddie | Morra | (Pending)
Account2 = firstname.lastname@example.org | 0611223344 | Bob| hihi| (Pending)
So the new account will be under the name Bon hihi with same email and number.
Action time :
So here you can see the request to create a new account under the name “aa”
And here we can see it stored successfully in the database, you can also see the Pending status
Now I tried to overWrite this account by making a new registration with the same Phone number and same email but with Name “bb”
Now if we search for the first account with the “aa” name will not find it, because it’s overwritten by the new one.
Then if we search for the “bb” account we will find it
So basically after understanding this, if we want to bypass or take over an account, we will need to find a way to bypass the email and phone number validation, if you look carefully at the registration requestion, you will see that there’s a parameter called PhonePrefix it’s used to verify the country number for example ‘+33’ for France.
Normaly a number that start with +33 or 06 are the same if you are in france, so does the API take this as the same or not ?
Well I tried to overWrite the “bb” account and change the number to the same one but with +33 as a prefix
The API accepted the number as the same, +33xxx = 06xxx and the account is overWrited
Then what about the email, will it over write the account if I give it in capital letters ?
Here I tried to give the same Email with capital letter and same number without the +33, so how the API will hundel this ?
Bingo! The API accepted what we send as a new account but its actually the same one with the same creeds, I’m not sure how the API will react when we gonna log in with one of the accounts but I guess this vulnerability will take over any account just by knowing the email and phone number since the backend is not case sensitive.
Ps: This works also for activated accounts ;)
Thanks for reading!