Tokopedia Account Takeover Bug Worth 8 Million IDR

Image for post
Image for post

Hi Infosec community,

In October month i was just searching for bug bounty programs through google dorks & I landed on this link .

I went through terms and conditions. I started hunting for bugs & within an hour i found account takeover bug.

Steps To Reproduce:

Victim email of tokopedia account: ezgcmmfgc@champmails.com
1. Go to the https://accounts.tokopedia.com/reset-password
2. Now type the victim account email id & click on continue button. After that select verification method email.
3. Now copy the full URL from address bar. Which look like https://accounts.tokopedia.com/otp/c/page?otp_type=132& email=ezgcmmfgc%40champmails.com&ld=https://account s.tokopedia.com/resetpassword?e=ZXpnY21tZmdjQGNoYW1wbWFpbHMuY29t

4. Now in above URL. See there is password reset URL. Which start after “ld” parameter.
https://accounts.tokopedia.com/resetpassword?e=ZXpnY21tZmdjQGNoYW1wbWFpbHMuY29t

6. Now in password reset URL we have to just add “&otpcode=000000” at the end of password reset URL.
For ex.
https://accounts.tokopedia.com/resetpassword?e=ZXpnY21tZmdjQGNoYW1wbWFpbHMuY29t &otpcode=000000
7. Now go to the above URL. And just enter the password of whatever you choice. Victim Tokopedia account is successfully takeover.

Video POC:

Timeline:

14-Oct-2018: Reported

15-Oct-2018: Received Response

“Hi,

Thank you for waiting. Your report has been verified, and it’s a valid security bug with Critical Severity. We are still fixing this bug, please be patient.”

17-Oct-2018: Fixed

17-Oct-2018: 8 Million IDR Rewarded

Image for post
Image for post
Bounty mail

6-Dec-2018: Received Bounty.

Twitter : https://twitter.com/ironfisto

Few more account takeover writeups coming . Thank for reading. Bye

Written by

lone warrior

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store