Pre-Account Takeover + Account Lockout

medium.com · Mohamed_Farghly · 10 days ago · research
quality 7/10 · good
0 net
Tags
account-takeover bug-bounty
Pre-Account Takeover + Account Lockout | by Mohamed_Farghly - Freedium Milestone: 20GB Reached We’ve reached 20GB of stored data — thank you for helping us grow! Patreon Ko-fi Liberapay Close < Go to the original Pre-Account Takeover + Account Lockout Mohamed_Farghly Follow ~2 min read · April 1, 2026 (Updated: April 1, 2026) · Free: Yes During the authentication process, the backend does not properly bind the account identifier to the OTP verification session and when intercepting the requests and modifying specific parameters in specific endpoints, it is possible to switch the authentication context to a different account, and gain access to any user's account that do not yet have an account on the platform and also activation 2FA by any authenticator application, Attack Scenario : 1- the attacker creates an account, receives a valid OTP, and submits it, 2-the attacker intercepts the following requests using Burp, -The First Request: https://welcome.target.com/api/web-components/1/register Specifically the email parameter. The Second Request: https://login.target.com/api/login Specifically the login parameter. 3-and by replacing the email and login values with the victim's email and forwarding the requests, the attacker can register and access the victim's account 4-after accessing the victim account, the attacker can enables Two-Factor Authentication using the following steps : 1-Open profile settings 2-Navigate to "Account security and recovery" 3-Configure Two-Factor Authentication 4-Enter the account password (use the hacker password) 5-Register a new third-party OTP authenticator 6-Scan the QR Code with authenticator application and now when the victim attempts to register on the platform, the system will redirect you to login page because the email already exists, and when the user attempts to recover the account using the password reset feature, they may be able to change the password via the email reset link. However, during login they would still be required to provide the 2FA code, which is controlled by the attacker's authenticator application. The key point : both requests must be manipulated together across two different subdomains to succeed, and this behavior follows the normal authentication flow of the platform. but the Program Response was : when I got the response saying it is " User email verification " , I was really surprised, because the impact is much bigger than that!! So I tried to reply and explain the impact more clearly but the program flew away😂😂 #bug-bounty #cybersecurity #red-team #web-security Reporting a Problem Sometimes we have problems displaying some Medium posts. If you have a problem that some images aren't loading - try using VPN. Probably you have problem with access to Medium CDN (or fucking Cloudflare's bot detection algorithms are blocking you).
← Back to stories