$500 Bounty for Account Takeover on European Bug Bounty Platform
TL;DR
A critical vulnerability in the password reset functionality of a popular European bug bounty platform allowed attackers to perform an account takeover by submitting an empty reset code. This flaw could lead to full site compromise, including data breaches and privilege escalation. After further investigation and an appeal to the platform, I was awarded a $500 bounty for the finding, despite the platform’s decision not to reassess the severity.
Background:
Bug bounty platforms are essential for uncovering vulnerabilities in the digital ecosystem. They allow ethical hackers to report security flaws, helping organizations patch vulnerabilities before malicious actors can exploit them. In this particular case, I discovered a vulnerability on a European bug bounty platform that could lead to severe consequences, including unauthorized account access and full site compromise.
Vulnerability Details:
I discovered a flaw in the password reset functionality of a platform’s plugin that allows attackers to bypass the reset code validation. Here’s a breakdown of the issue:
- Attacker initiates password reset: The attacker visits the password reset page and submits their own email address.
- Reset link is sent: The platform sends a password reset link to the attacker’s email address.
- Attacker visits the reset link: The attacker clicks on the reset link to navigate to the password change page.
- Attacker intercepts the request: The attacker modifies the reset password request, setting the
user
body parameter to the victim's username and leaving thecode
body parameter empty (e.g.,code=
). - Account takeover: Since the platform doesn’t properly validate the reset code, the attacker can set a new password for the target user’s account, successfully taking control.
Technical Details and PoC:
To discover and confirm this vulnerability, I did a bit of unconventional research. I was able to locate the platform’s plugin/theme source code online (LOL). I downloaded and set up a testing lab on my local machine by installing the plugin and thoroughly reviewing the source code. My findings, which I believe warrant a CVE, are detailed below.
Key Findings:
- The vulnerability occurs because the platform fails to properly validate the reset code, allowing attackers to bypass the password reset process and set a new password for any user.
- The request can be intercepted and manipulated, with an empty reset code (
code=
) used to successfully reset the victim's password.
Source Code Analysis:
Upon reviewing the source code, I discovered the following vulnerability in the plugin responsible for handling password resets. Specifically, the code for resetting passwords does not properly handle empty or invalid reset codes. The vulnerable code snippet is:
static function can_reset_password($user_name, $code) {
$current_user = wp_get_current_user();
$user = get_user_by('login', $user_name);
if ($user && (!$current_user->ID || $current_user->user_login == $user_name)) {
$reset_code = get_user_meta($user->ID, 'resetpass_code', true); // vulnerable line
if ($reset_code === $code) {
return true;
}
}
return false;
}
The code doesn’t validate that the reset code isn’t empty, which allows the attacker to bypass the reset process by simply submitting an empty code.
Impact:
This vulnerability could have serious consequences if exploited:
- Data breaches: Attackers could gain access to private user data such as usernames, emails, and passwords, or even sensitive content.
- Privilege escalation: Attackers gaining access to user accounts may escalate privileges, leading to administrative access.
- Full site compromise: If an attacker compromises an admin account, they could upload malicious scripts or shells, disable security plugins, and create backdoors for persistent access.
- Financial loss: Compromised accounts could be used for unauthorized transactions or data theft.
- Reputation damage: Such a vulnerability erodes trust, and users may lose confidence in the platform’s ability to protect their information.
- Legal ramifications: Data protection regulations may be violated if user data is exposed due to this flaw.
Fix and Recommendations:
To address this vulnerability, I recommend the following actions:
- Improve reset code validation: Ensure that the reset code is not empty or null before allowing any password reset action.
- Implement additional security layers: Consider introducing two-factor authentication (2FA) for an added layer of protection during sensitive operations such as password resets.
Platform’s Response to My Appeal:
After submitting the vulnerability and appealing for a higher severity rating, the platform’s team responded as follows:
Hi!
Sorry for the late response. The vulnerability is still being considered as High, you can read in the program’s scope that under High severity are Vulnerable authentication and Privilege escalation which is the exact scenario you have described before.
Please let us know your PayPal account so we can proceed with the payment.
Thanks!
Despite my request for a reassessment, the platform did not revise the severity of the vulnerability, keeping it classified as “High” rather than “Critical.” Nonetheless, they acknowledged the validity of the finding and awarded me a $500 bounty for my discovery.