search
Bugcrowd Profile
Page cover

🟥Exploiting the Authentication Flow to Block Any User from Logging In/Resetting Password + An IDOR

A Vulnerable by Design Authentication System of a Very Famous Note-Taking App + Medium Severity IDOR

Hello, friend! This is mrhashimamin. And I’m back today with a new write-up for you, ma amigo <3.

So, let's get to it. Today's story is about an interesting logic bug I found on a note-taking app that allowed me to block any user from logging into his account, closed as informative (typical HackerOne triagers), and a medium severity IDOR (didn't pay yet - reported 32 days ago), so let's talk about it.

hashtag
How does the Auth system work?

  • POST request to the endpoint /getLoginOptions to get the loginOptionsToken

  • POST request to the endpoint /sendTemporaryPassword to send OTP/Login Link to the victim's mailbox

hashtag
And here's the catch:

If the user sends more than 3-4 requests/sec, his account will be limited for login for 2 minutes, then he can send more OTP/links.

hashtag
Another trick that I've found on the second request:

If we add those parameters: {"disableLoginLink":true,"shouldHidePasscode":true} the victim will get an empty login message in his mailbox.

hashtag
Python Script = Permanent Account Lockout

So, here’s the idea: we want to make this permanent, right? A Python script can automate the whole process:

  1. Send req1.

  2. Use the loginOptionsToken (from req1 response) in req2.

  3. Send a broken login messages to the victim’s mailbox.

While the script is running, the victim can’t log in/reset his password—he gets banned for 2 minutes over and over (due to the rate-limit mechanism) and sees no valid login links/otp in his mailbox.

hashtag
Attacker's POV

As long as the script keeps running, the victim will never be able to log in or reset his password.

hashtag
Victim's POV

hashtag
The other bug - IDOR:

There's a business plan: users here can ask owners for an upgrade to the higher plan (enterprise).

If you look at the request, there's a parameter called created_by_id.

If you simply change this ID to any other teammate's ID (which can be easily found in the members list), you'll ask the owner to upgrade to the enterprise plan with the victim's identity.

If the victim now tries to ask for an upgrade, he can't - he will encounter an error that states that he previously asked for one before.

That's the story for today. I hope you find this write-up useful. Thanks, and keep hacking 3>

PreviousSome Privilege Escalations + Logic Flaws Led to (DoS, Organization Takeover & more)NextLogic flaw k1lled business messaging for all users

Last updated