Password Reset Link Doesn’t Expires On Email Change
Summary :
When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct. This can be listed under improper authentication.
When any user sends the password reset link but does not use it and it remains unused in the user’s inbox, here if in any case the attacker gets access to the victim’s main inbox (gmail or yahoo) he/she can takeover the account on the other websites which is being used by the user with the same email.
Why this happens ?
- Websites forget to set the email expiration time.
- Websites doesn’t expires the old password reset link on email change
- Websites doesn’t expires the password reset token after being used once
How to find this vulnerability ?
- Go to your target website and send a reset link to your account
2. Now don’t use it, just login to your account and change the email
3. Now after changing the email and confirming it logout of the account and use that old password reset link to reset the password which was sent to your old email address.
4. Now Reset the password
5. Log in with the changed password
NOTE : In real case scenario it is only possible if your main account (gmail/yahoo) gets compromised. But 70 out of 100 websites accepts this risk so you can report it.
Thank You :)
Instagram : jerry._.3