avatarPhilippe Delteil

Summary

The author discovered a password reset token disclosure vulnerability in Chilexpress's website, which allowed unauthorized access to user accounts and sensitive information.

Abstract

In this article, the author shares their experience of finding a significant vulnerability in Chilexpress's website. The vulnerability was discovered when the "forgot password" functionality returned sensitive information, including user credentials and password reset tokens, to an unauthorized user. The author noticed this issue while creating a business account with Chilexpress and using the Burp Suite tool to analyze the application's requests and responses. They were able to demonstrate the impact of the vulnerability by logging into the site using the obtained credentials and attempting to make a high-value purchase. The author reported the issue to Chilexpress, who thanked them and promised future collaboration, but no further action was taken.

Opinions

  • The author believes that this vulnerability is one of the most incredible they have encountered, given Chilexpress's size and security certifications.
  • The author emphasizes the importance of testing even seemingly obvious functionalities, as large and mature companies can still have easily discoverable vulnerabilities.
  • The author suggests that companies should reward bug bounty hunters with more than just thanks, proposing a fee in Bitcoin or local currency for the effort and risk mitigation provided.
  • The author notes that Chilexpress had no prior knowledge of bug bounty hunting when it was mentioned to them.
  • The author highlights the strange behavior of the login functionality, which automatically displayed a predefined username ("User01") when the company's tax identification number was entered.
  • The author recommends using an AI service, ZAI.chat, which offers similar performance to ChatGPT Plus(GPT-4) but at a more cost-effective price.
  • The author demonstrates the impact of the vulnerability by attempting to make a high-value purchase using another company's tax identification number, though they did not complete the transaction.

Password Reset Token Disclosure[Chilexpress]

Trying to reset a password might just give it to the attacker.

This must be one of the most incredible vulnerabilities I have come across so far. Mainly because Chilexpress is a large company that (supposedly) has gone through several rounds of penetration testing and security certifications.

Vulnerability

This vulnerability occurs when the “forgot password” functionality of a web application or service returns sensitive information, including user credentials or password reset tokens, to an unauthorized user or attacker. It is a security flaw that can allow an attacker to gain unauthorized access to an account.

How I found the vulnerability

I often find web vulnerabilities in Chile by using day to day services. In this case, I opened a business account with Chilexpress (to send items more affordably and with some other advantages), and the first time I used it, I noticed something strange: When I entered my company’s RUT (tax identification number), it asked me to create a user with the name “User01,” and I couldn’t change the name. When I tried to log in again, I entered the RUT, and it automatically showed “User01.” I had never seen a page behave like that before.

A few weeks passed, and one day I decided to take a closer look at this strange login. I opened BURP and started reviewing the requests and responses of the application. To my surprise, when I clicked on the “Forgot Password” option, the response from the POST request returned all the user’s data: username, password, secret question, and answer to the secret question.

With the obtained credentials, I logged into the page to test the impact, which is important for the client/company to take you seriously. I tried using Falabella’s RUT and attempted to make a purchase worth over 17 million Chilean pesos (around $20,000) in cardboard boxes, but I obviously didn’t reach the final step. These business accounts work like post-payment accounts. You can make purchases without having to pay directly; it will be billed to the customer later.

It’s much easier to understand by watching a video. A video speaks louder than a thousand Medium posts:

The issue was reported, and the next day, I received a call from the company’s responsible parties. And then began the classic ritual of thanking me, requesting a quote to provide services to the company, but then nothing ever materializes. It would be much better if they paid a fee in Bitcoin or Chilean pesos that rewarded the effort and the risk mitigated for the company’s operations. Unfortunately, when I mentioned Bug Bounty Hunting to them, they had no idea about the topic.

In summary:

Reward: $0 + THANKS.

Promise of hiring: TRUE

Contracts finalized: 0

Learning: Always test everything, even the most obvious things. Never assume that just because a company is large, mature, or old, it couldn’t have serious and easily discoverable vulnerabilities.

Web
Bug Bounty
Hacking
Web Hacking
Recommended from ReadMedium
avatarloyalonlytoday
Finding a easy p3 bug

Vulnerability Name : EXIF Geolocation Data Not Stripped From Uploaded Images

3 min read
avatarShaikh Minhaz
How I Hacked a Website While Dancing💸

So recently, while I was randomly visiting websites (obviously for bugs), I came across a UK-based website. It was an educational website…

3 min read
avatarMohsin khan
The $2,200 ATO Most Bug Hunters Overlooked by Closing Intruder Too Soon

Bug hunting is a mix of technical skills, persistence, and curiosity. Sometimes, the simplest bugs are overlooked because of one thing —…

3 min read
avatarBug hunter balu
How I Found open-redirect vulnerability using virus total?

actual worth 500$ based on program bounties

2 min read
avatarbugbounty_learners
Delete any User Account - HackerOne Private Program

Hi Everyone,

2 min read
avatarLe_Merdien
IDOR Leading To Improper Access Control

2 min read