How a Crowdtesting Find Exposed an Arbitrary Password‑Reset Vulnerability
During a crowdtesting engagement the author uncovered a critical identity‑verification flaw that lets anyone change any user's password using only the username and phone number, detailing the discovery process, exploited endpoints, and the low barrier to hijack accounts.
Introduction
A procurement platform’s password‑reset flow allowed an attacker who knows a user’s username and phone number to change that user’s password without any additional verification.
Vulnerability Discovery
Using FOFA the target asset was identified. The password‑reset page displayed a verification‑code field but no registration link was visible on the homepage. By inspecting the JavaScript files the hidden registration endpoint was found via the findsomething plugin.
The findsomething plugin copies all URLs from a page and opens them automatically. It is available at https://github.com/htrinter/Open-Multiple-URLs. A limitation is that copied URLs are concatenated to the root path, requiring manual adjustment when the real path contains a fixed prefix.
Password‑Reset Exploitation
After registering a normal account, the network request triggered by the “forgot password” function was captured. The request required a correct account‑phone binding but did not validate the verification‑code; the server returned a result token.
This result token is static—it does not change after a password reset. The token is used in a URL such as https://xxx/pass.html?id=xxxxx. By replacing the id value with a victim’s token, the attacker can reset the victim’s password without further verification.
Lateral Information Gathering
To obtain a victim’s username and phone number, the attacker logged in, extracted the session cookie, and re‑ran the findsomething enumeration. An endpoint https://xxxx/.../getAnnouncement leaked personnel contact information, including phone numbers and emails.
By brute‑forcing the combination of name and phone number against this endpoint, the attacker retrieved the required data. Substituting the victim’s static result token into the password‑reset URL then successfully changed the victim’s password.
Impact
The vulnerability provides a low‑effort path to hijack user accounts. The static nature of the result token means it can be reused indefinitely, allowing repeated password changes for the same account.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Black & White Path
We are the beacon of the cyber world, a stepping stone on the road to security.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.
