A2 - Broken Authentication and Session Management leads to full account takeover

Hi Everyone,

In this Blog Post I will show you how I was able to reset all cobalt users passwords.

Introduction:- 

Cobalt is a bug bounty platform where security researcher participates in various programs. Cobalt itself runs a bug bounty program.


How it Started:-

Long time back when I was no where in to bug hunting. I have created my account on multiple platforms who runs bug bounty just to see how this program works and In a thought of soon I will participate,  Then later on when I sharpen my skill sets I I decided to start participating in bug bounty programs.

I started my bug hunting from normal sites which gives Hall Of Fame to Security Researcher and then I started on Hackerone platform. I got a good number of hits in that ;)

Later on I thought, lets try finding bugs on some other platform. I selected cobalt platform.
I started my research by checking their email address change functionality to check whether it's secured or not.

And there it is I found some juicy bug on their site which is quite interesting

Proof Of Concept:- 

In every application you must have observed feature that you can reset your email id as an when you require. Similarly In Cobalt also that feature was there but problem here is their reset email address  module for changing users email id was vulnerable.

Explaining Furthermore,

Say,
1] There are two user who are part of cobalt User A and User B

2] User A has email address abc@gmail.com and

3] User B has email address xyz@gmail.com Then

4] If User A thinking to update his email to xyz@gmail.com then generally we get prompt message saying email address already taken OR email id already in used by someone.

But this is not happening here in cobalt. Hence if User A by mistakenly setting User B email address and that User B know this flow then he can reset User A Email address well this is it, Then this leads to full account takeover of all the cobalt users whose email id is @gmail.com.

Well this issue may looks small but hold on this is "Account Takeover bug"
Lets see the attack scenario.

Attack Scenario:-

=>Victim    - code who wants to change his email address to new email address
=>Attacker - nilesh knows this bug in cobalt

Victim as code thought to change his email address, so he decided to change his new email address as nilesh.s.sapariya@gmail.com

Now code is not aware that this user is already part of cobalt. Once code changes his email address to nilesh then nilesh receives email confirmation notification alert in his email address.

Nilesh knows this bug so nilesh will simply accepts the email confirmation mail. Once confirmed code mail address will be updated to nilesh mail address :)

Now, Nilesh will go to login page => Click on forgot password => Put his email address => bang nilesh resets code password

I explained this to cobalt security team And I got reply as below:-



Directly rejected.

They said its gmail behavior of not accepting dots(.)
https://support.google.com/mail/answer/10313?hl=en


Because the bug is any user (part of cobalt) If updating someone else email id(who is part of cobalt) then that someone by confirming the email confirmation link can reset the email address.

So I got this reply again.



So finally I decided to create video POC :
Its bit lengthy so If you have time so you can click here to see.  OR skip :)

After this video POC again I started explaining from the scratch and reply response continued and this mail thread gone bigger and bigger.

Again I have given entire explanation what is wrong happening here. And see what I got reply.




Kill me pls..


After that again on a same point discussion started this way reply response of all repeated things was going on,

I am trying to finish this short as there was so many communication happens.

Just to make them understand that:-
1st point: No user should have permission to set email address which other user already using in the same application (cobalt).
2nd point: No email confirmation link should be trigger, If victim changes email address to someone else who is part of cobalt.

Only this 2 point  :(


And note this was happening only for @gmail users and not for @cobalt users. Well but all cobalt users uses @gmail id.

Again I wrote explanation with all the point,



And Again See what I got a reply from their end




After this again same conversation got continued explaining each point again and again :(

While we are exchanging mails someone from their team, Putted my email address on his account for changing email

Well that's what attacker want to exploit this bug: :)


At this point of time I came to know again this guys doing something i.e he putted my email id in his account and I got mail notification alert.
So now I decided that I will takeover his account.But I will record everything so that they will understand. :P

So I created another Video POC demonstration but this time hacking cobalt team member account.
On below video POC you will see how I hacked cobalt team member account and changed his password :-



PS: He sets 2 factor Authentication but then he has no way to change his password after I take over his account

Later on his team member asked me for the password which I changed it :P XD




I gave him the password which I reseted. But you know what if he will try to change his password then again notification will be trigger to my email id. So Again I can change his reset password and there is no way he can reset it back.

THIS IS THE IMPACT OF THIS BUG.

Anyways, later on Cobalt senior member fixed this bug by not allowing users to update existing used email address which is already part of cobalt


So now no users can update email address which someone else using in cobalt. So no account takeover possible.

So finally they patched the bug.


So What I Got is :- 

1] Reward: Declined




Yes you heard it right they said the reason "This turned out to be invalid, and you ignored our repeated mentions of the GMail-.-artifact."

Phewwwww.....I have no comments here.

At the end:
I would like to thanks Cobalt team for fixing this bug. And I appreciated what reward they have given me.
#Happy Learning For Me  :/



Well well well wait this is not ended yet.

MORAL OF THE STORY:-

=>Never Give Up. Do not give it up ever If such things happen to any Security Researcher.

=> Focus where your research got appreciated and work hard on it.

Final Take Away :




Thank you for reading.

Share this

Related Posts

Previous
Next Post »