📚 UPchieve: Full account takeover of any user through reset password

Summary: Hi Security team members, Usually, If we reset our password on https://app.upchieve.org that time we got a password reset link on the email. And through that password reset link, we can reset our password. But, I noticed that if we add another email in the request of forgot password through Burpsuite then both person will get the same password reset token in their email. So, an attacker can takeover any account without the user's interaction. Steps To Reproduce: Navigate to: https://app.upchieve.org/resetpassword Then, enter the victim's email address Intercept this request Now, add your email also in the JSON body. like this: {"email":["[email protected]","[email protected]"]} Forward this request Now victim and you will receive the same password reset link {F1278871} By using that link which you just received in your email You can fully takeover the victim's account by reset password. POC: {F1278872} Impact It is a critical issue because an attacker can change any user's password without any user interaction. This attack does not require any interaction from the victim to perform any actions and yet the account can be taken over by the attacker. An attacker can fully takeover any user's... ...