Account Takeover via Password Reset without user interactions

Program: gitlab Bug Type: Account Takeover Bounty: 35000 Date: 2023-12-20

account-takeover gitlab burpsuite

Summary

"The researcher found a way to successfully takeover an account by exploiting a logical flaw in the reset password functionality. Proof of concept:

Go to "Forgot Your Password?" link
Enter the victim's email and intercept the submit request via Burp Suite.
Then right-click on the HTTP Editor inside Burp Suite and select Extensions -> Content-Type Converter -> Convert to JSON (make sure to have the Content-Type Converter plugin installed from the BApp Store)
Now replace this converted JSON line "user[email]":"[email protected]", to

"user" {
  "email" [
           "[email protected]",
           "[email protected]"
    ]
},```

- forward the request and the reset link is sent to the attacker email as well."

References

https://hackerone.com/reports/2293343

← Back to Reports