Summary by 7h3h4ckv157
- Create an Account --> Verify your mail
- Change your mail to victim's mail address --> Pre-Account TakeOver, Victim's mail saved in your verified account
- When Victim try to signup with their mail, they can't. Reason: Attacker TakeOvered victim's address already (Message: Sorry, this email address is already taken. Please try with a different email.)
- Even if the victim took back his/her account by forgot password method, Attacker can takeover the same by using previous unused forgot password link (Exploit Link)
Attack Steps
1: Attacker must create an account: https://app.withpersona.com/dashboard/register using any business-mail (Here I used temp mail for testing)
2: After creating & verifying the account, the Attacker need to logout and request for a password reset link
NOTE: Let's assume this password reset link asexploit link, The exploit link must not open, it'll be used for later exploitation
3: After requesting & getting the reset link, the attacker need to login to his own account using his credentials without opening the exploit link.
4: After that, the attacker conduct a PRE Account TakeOver by simply changing his mail to victim's address
5: The Attacker successfully done Pre-Account-Takeover. The victim's mail is settled on attacker's confirmed account without victim's knowledge
Real Issue
6: While the victim try to create an account in app.withpersona.com now or in future, this message will appears: Sorry, this email address is already taken. Please try with a different email.
7: Victim can simply use reset password function to set a new password and take back the account
8: Victim successfully logged-In to their account!
9: The logged victim's current account can be take over by the attacker anytime using the exploit link
--> Attacker can change password of the victim's account without authorization and takeover the account for further malicious activities
Impact
Improper Access Control leads to full Account-TakeOver