March 23, 2023 / By Securium Solutions

Have you ever wondered about the possibility of your personal account being hacked, or are you curious about celebrities having to deal with some kind of data breach? Well, it is actually not as uncommon as many people believe. There are numerous cases in which celebrities and other prominent people have been victims of hacking attempts by cyber criminals.

Account takeover technique where hackers own and use a specific account for their malicious activities. The attackers could use this technique to get a foothold into your network or even rob financial information from your accounts or system details.

So, in this blog, we will look at how we can identify account takeover and what methodology we can use to find this vulnerability.

What is an Account Takeover?

It is a type of attack that allows an unauthenticated user to gain access to your online accounts, such as your email, social media, or banking accounts, by exploiting the vulnerabilities.

It can be caused by a number of factors, such as weak passwords, phishing attacks, software vulnerabilities, and social engineering tactics.

Types of Account takeover

Pre-Account Takeover : In this vulnerability an attacker creates a user account using one signup method example — sign up with google and then the victim creates an account from the same e-mail address but from a different sign-up method. But as the email is same the application will connect those two accounts. This happens when the application is unable to validate email address.

How to Hunt : 

• Register your account from your email on sign up page.
• An verification email will be sent to your email. 
• Now without verifying this mail try to register form the same mail but this time with different method like sign up with google.
• As both emails are same so the application will treat both email address as same, and will link the accounts.
• Now try to log in with the email and password and if you see the information that is retrieved via google in your account.

Account takeover due to Rate limit : Rate limiting is a technique used by websites and applications to limit the number of requests or actions that a user or system can perform within a certain period of time.

If a application fails to implement rate limiting correctly, an attacker can take advantage of the issue and brute force authentication. This could result in account takeover.

How to Hunt :

• Capture the request at the login page, while providing username and password.
• Send it to intruder and Brute force it.
• Analyze the response and length.
• If the attacks are not stopped or not blocked then it is no rate limit attack and from there you can find the password and perform account takeover.

Account takeover by Response & Status code Manipulation : An attacker sends a request to the server and is able to modify the server’s response, bypassing authentication. This usually happens when security is only enabled for the client side application, but not for the web server. When it only allows logging if certain conditions are met.

How to Hunt :

• While login with an OTP.
• Try to enter the wrong OTP and check if there is any response like:
  (success: “false”)
• Now enter the correct OTP and check the response will be like:
  (success: “true”)
• Now while entering wrong OTP change the response from
  (success: “false”) 
  to
  (success: “true”)
• And by doing this if you log in then you can log into any account on the application.

Account takeover via IDOR: Idor is a type of security vulnerability that occurs when a user is able to access or modify resources in a system that they should not have access to. It happens when an application exposes a direct reference to an internal implementation object, such as a database record or a file, without proper authentication or authorization checks.

How to Hunt :

• Login to your account 
• Try to change the account value from 2 to 3
• If you log in to 3rd user another then its Account takeover technique/vulnaribility.

Account takeover by Password Reset Poisoning: Password reset poisoning is a type of attack where an attacker tricks a vulnerable website into sending a password reset link to a domain that they control. This can be done by manipulating the password reset mechanism in a way that the website generates a password reset link pointing to a malicious domain instead of the legitimate one.

Once the attacker has the password reset link, they can use it to reset the password of any user whose account is associated with that email address. This is possible because the password reset process typically relies on secret tokens or links that are sent to the user’s email address, and the attacker has control over the email domain.

How to Hunt :

• Intercept the password reset request in Burp Suite
• Add a following header or edit header in burp suite 

Host: attacker.com
Host: target.com
X-Forwarded-Host: attacker.com
Host: target.com
Host: attacker.com

And analyze the response

Author

Nitin 

Cyber Security Intern