How a Crowdtesting Find Exposed an Arbitrary Password‑Reset Vulnerability

During a crowdtesting engagement the author uncovered a critical identity‑verification flaw that lets anyone change any user's password using only the username and phone number, detailing the discovery process, exploited endpoints, and the low barrier to hijack accounts.

Black & White Path
Black & White Path
Black & White Path
How a Crowdtesting Find Exposed an Arbitrary Password‑Reset Vulnerability

Introduction

A procurement platform’s password‑reset flow allowed an attacker who knows a user’s username and phone number to change that user’s password without any additional verification.

Vulnerability Discovery

Using FOFA the target asset was identified. The password‑reset page displayed a verification‑code field but no registration link was visible on the homepage. By inspecting the JavaScript files the hidden registration endpoint was found via the findsomething plugin.

The findsomething plugin copies all URLs from a page and opens them automatically. It is available at https://github.com/htrinter/Open-Multiple-URLs. A limitation is that copied URLs are concatenated to the root path, requiring manual adjustment when the real path contains a fixed prefix.

Password‑Reset Exploitation

After registering a normal account, the network request triggered by the “forgot password” function was captured. The request required a correct account‑phone binding but did not validate the verification‑code; the server returned a result token.

This result token is static—it does not change after a password reset. The token is used in a URL such as https://xxx/pass.html?id=xxxxx. By replacing the id value with a victim’s token, the attacker can reset the victim’s password without further verification.

Lateral Information Gathering

To obtain a victim’s username and phone number, the attacker logged in, extracted the session cookie, and re‑ran the findsomething enumeration. An endpoint https://xxxx/.../getAnnouncement leaked personnel contact information, including phone numbers and emails.

By brute‑forcing the combination of name and phone number against this endpoint, the attacker retrieved the required data. Substituting the victim’s static result token into the password‑reset URL then successfully changed the victim’s password.

Impact

The vulnerability provides a low‑effort path to hijack user accounts. The static nature of the result token means it can be reused indefinitely, allowing repeated password changes for the same account.

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

information securityVulnerabilityidentity verificationpassword resetcrowdtestingURL enumeration
Black & White Path
Written by

Black & White Path

We are the beacon of the cyber world, a stepping stone on the road to security.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.