Always finish with a sweet Bug

Hello, friends today I will tell you how I was able to find a critical vulnerability during an internal assessment.

It was my last day at the office, after one year in this company as a pentester, now its time to move for another adventure.

I was chilling since I’ve already done my missions, but one of the developers asked me if I can do a quick pentest against the new API they are developing!

Euuh! We never say no to a hacking request, let’s take out the big Katana and start the work.

So It was an OpenAPI with many endpoints, but I tried to focus only on the authentication ones.

The developer also told me that there’s a special behaviour about the registration endpoint :

So when someone create a new account, the account get stored in the database but as a Pending account, till he activate it, the user need to give an Email, Phone number and other informations…
If the user made a mistake while creating his account, he can simply create a new one with the same Email or the same Phone number then he will overwrite the first wrong account!

What a weird behaviour!

So from what I understood, If a user creates a new account he can overwrite it if the phone number or the Email is the same and also the account is not activated yet!
Looks normal, since the way the overwrite the account is only pending and it accepts only the same email and number, so it’s secure (or maybe not).

Example :
This account can be replaced
Account1 = tst@gmail.com | 0611223344 | Eddie | Morra | (Pending)
Account2 = tst@gmail.com | 0611223344 | Bob| hihi| (Pending)
So the new account will be under the name Bon hihi with same email and number.

Action time :

So here you can see the request to create a new account under the name “aa”

Registration

And here we can see it stored successfully in the database, you can also see the Pending status

Successfully registred

Now I tried to overWrite this account by making a new registration with the same Phone number and same email but with Name “bb”

Overwriting the account

Now if we search for the first account with the “aa” name will not find it, because it’s overwritten by the new one.

No results

Then if we search for the “bb” account we will find it

Exist

So basically after understanding this, if we want to bypass or take over an account, we will need to find a way to bypass the email and phone number validation, if you look carefully at the registration requestion, you will see that there’s a parameter called PhonePrefix it’s used to verify the country number for example ‘+33’ for France.
Normaly a number that start with +33 or 06 are the same if you are in france, so does the API take this as the same or not ?

Well I tried to overWrite the “bb” account and change the number to the same one but with +33 as a prefix

The API accepted the number as the same, +33xxx = 06xxx and the account is overWrited

Then what about the email, will it over write the account if I give it in capital letters ?

Here I tried to give the same Email with capital letter and same number without the +33, so how the API will hundel this ?

Bingo! The API accepted what we send as a new account but its actually the same one with the same creeds, I’m not sure how the API will react when we gonna log in with one of the accounts but I guess this vulnerability will take over any account just by knowing the email and phone number since the backend is not case sensitive.
Ps: This works also for activated accounts ;)

Thanks for reading!

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Eddie Mora

Eddie Mora

The best puzzles are not meant to be solved{fahdabida.com}