image dsbw
Request Assessment

GET all Company Support Users Details including email and phones + Mass Account Take Over



Published il y a 2 semaines

image de GET all Company Support Users Details including email and phones + Mass Account Take Over

Hi, This is DevSecure Team ,we specialize in uncovering hidden vulnerabilities that pose real-world risks to modern web applications.
All vulnerabilities shared in these write-ups are fully redacted — any company names, domains, or sensitive details are replaced with placeholders such as company.com. Each finding was responsibly disclosed through the Intigriti platform and has been verified and resolved by the affected vendor.

Every post represents our commitment to ethical hacking, responsible disclosure, and continuous learning, helping organizations strengthen their defenses while contributing to a safer global cybersecurity ecosystem.

Description:

the idea is when attacker try to change support contact user email with new attacker email, they send to you ( attacker inbox ) the 2 emails 1 of attacker and second for support thats want to change the idea is this request it enumerat support users with just the id ( based on id ) and whene you send the request you could get full informations about this support user in userListSearch endpoint. After my testing i find thats some Company auditors users you can make you email as default if there is no primary contact in there account and you can take over there account by send rest email and i have a poc you will find details in the bottom.

Affected Parameter / Endpoint: https://admin.company.com/admin/redactedpath/settings

Proof of Concept:

Step-by-step to reproduce:
  • Step 1: you need to be loged in as admin go to admin.company.com
  • Step 2: go to this endpoint with put request PUT /admin/redactedpath/settings HTTP/2 Host: admin.company.com {"idUser":1,"idUser":"HERE_PUT_THE_ID_OF_SSUPORT","fullName":"Name","email":"test@test.com",...}
  • Step 3: for geting this users info you could make simple search in this endpoint and you will find theme POST /admin/redactedpath/userListSearch HTTP/2
i dont want to make alot of acount take over i made just 1 for POC

account take over for {"userId":xxxxxx "name":"XXXX XXX" "email":"xxx.xxx@attacker.com" ,...} now the email is xxx.xxx@attacker.com and the PASSWORD is MyNewPassword

Impact:

Explain how an attacker could abuse this issue...

Severity:

Critical — Mass Account takeover no user interaction.

  • Timeline :
  • Platform : Intigriti
  • Reported: 20/03/2023
  • Triaged: 21/03/2023
  • Accepted & paid: 21/03/2023
  • Bounty: €3,000

https://app.intigriti.com/profile/merroun

More Articles You May Like

Blog Image
SQL INJECTION, leaking of personal data + server misconfiguration lead to unauthorized access

Description: in one of the earlier target that i hunted in before, after the recon step, i found an interesting service...

Read More →
Blog Image
BROKEN ACCESS CONTROL lead to leak all users sensitive data in Company database, including emails

Description: BROKEN ACCESS CONTROL lead to leak all users sensitive data in company database, including emails in compa...

Read More →
Blog Image
IDOR Get any Customer all invoices

Description: Broken access control IDOR lead to get all invoices for any customer Affected Parameter / Endpoint: https...

Read More →