📚 Twitter: Reset password without knowing current password
💡 Newskategorie: Sicherheitslücken
🔗 Quelle: vulners.com
Description Hi team, I found an interesting flaw in your password recovery mechanism that can get the ability of reset password without a valid token and knowing current password. I'm going to explain it here: In https://www.twitterflightschool.com/ domain if you try to reset your password from https://www.twitterflightschool.com/student/authentication/request_password_reset you'll get a reset password link in your email that is like: https://www.twitterflightschool.com/student/authentication/reset_password/<TOKEN> If you logged in to your account your application doesn't validate token at all, Actually for reset password, we don't need a token! and just via https://www.twitterflightschool.com/student/authentication/reset_password/ link, we can reset our password! In this domain, On the profile page, for changing the password you should enter the current password first but using this issue it's possible to bypass this and update the password without knowing the current password. Note: For abusing this issue an attacker first need to hijack victim's session because while you using https://www.twitterflightschool.com/student/authentication/reset_password/ to change password it changes current user password, So attack scenario is limited to when an attacker successfully hijacked a victim session and hi want to update password (but he don't know current password), Hi use this issue to bypass Change Password in profile section and update password without knowing the current... ...