Today I am going to share an interesting finding that allowed me to change the password of almost “150 million” eBay users!
I was checking my e-mail when I have found a “View your recent activity” message from PayPal, I have checked the links inside the message and found an “Open Redirection” vulnerability!
I have decided to report it to Paypal, I asked a friend of mine about the Paypal security e-mail, he told me that I should register on eBay to report Vulnerabilities to Paypal :).
Well, I went to eBay to register and have found two other vulnerabilities while registering!, I have reported the three bugs and waited.
Two days later, I tried to log in my eBay account to check the status of my 3 reports, and like every time, I have forgotten my password 🙁 .
I went to ” Forget Password” page at eBay to see how secure their password reset mechanism is.
So here is how users can change their own passwords on eBay:
1- The user navigate ” Forget password page ” and enter his registered Email or Username.
2- eBay gives you the three options which you can change your password with (Using Email, Text message or phone call).
3- If you use Email method, they will send you an email includes a reset password link where you can change your own password.
So lets fire up BurpSuite to see what happens behind the scene..
Visting (https://fyp.ebay.com/EnterUserInfo?&clientapptype=19) and entering my e-mail address will take me to another page that asks me where I want to get my “Reset Password Link” , I have chosen ” By E-mail” and intercepted the request
After Forwarding that request, I received an Email with a change password link, I clicked on the link, it takes me to another page where I have to create my new password, I have entered my new password, hit enter and intercepted the request which looked like:
Have you noticed that??!!
Wow, instead of using the Secret “reqinput value” that have been sent to the user’s email, eBay uses the same “reqinput” value that have been generated in the first request!!!
I went again to the ” Forget Password page” then entered the victim email, then chose to send the “Reset Password link” to e-mail and captured the request and save the “reqinput value” .
then I repeated the POST request “shown in the last screen shot” and replaced the reqinput value with the new one, I posted it, but it gave me error!!
Why? because the user have to “click” on the link sent to the email to the server can unlock the change password process ” and this is the only user interaction that has to be taken in order to make the attack succeed”
after the user clicked on the “reset password” link, I was able to change his password 🙂
This means that an attacker can hijack millions of user accounts in a targeted attack
Here is a real life attack scenario diagram:
Enjoy watching the POC video