📚 U.S. Dept Of Defense: Full Account Take-Over of ████████ Members via IDOR

Summary https://███████ is a Social Network Site belonging to US DoD. Membership is open to anyone, I have found a method to fully take-over any members' account by exploiting an IDOR bug in the ██████████ end-point. By changing the following values in the POST request to the affected end-point: userName originalEmail Email RecoveryEmail I am able to add Recovery Email address of my choice, thus, enabling me to send a password reset link to my attacker controlled email address. I have uploaded a video PoC to demo my finding. Note that the following test accounts were used: Attacker login: ████████ Victim login: ███████ I added ████ email into the victim account. Note that this only works on victims that have no recovery email address defined or recovery email that are not yet verified. This technique will NOT work on victims' that already have a confirmed recovery email address. Also note, that I am using multi-containers plugin for Firefox, therefore, each tab represents separate browser session. Finally, note that in my PoC video, I had to insert the victim recovery email link ████████/self?guid=█████████ into the attackers' session because a valid session is required to validate the email. The session does not necessary have to belong to the victims' session to validate. The IDOR bug can be obtained by intercepting the 2-FA Authentication switch: ███ Vulnerable End-Point Here is the vulnerable POST request when captured, the cookies and __RequestVerificationToken must be... ...