Hey guys so this blog post is about a User Account Takeover issue that i discover. the bug was an Account Takeover issue that was found in Signup & Switch Accounts feature so here’s the a Short POC of the issue.
While testing i saw that there is a “Switch Accounts” Option in Application Menu
and mine was empty as You can see, that made me curious about what if “I can use it somehow to login to another account i don’t Own, or Hack Other User Accounts” But as first i didn’t really knew how this feature works so i did a simple Google search like site.com “Switch Accounts” I read like around 5-7 articles to understand the feature so after that i finally understand what this feature is for and how it works. I decided to signup for a new one i went to target.com/register and created a new account but then i noticed that when you signup for a new account it asks to put your “Name, Name of your team, Email, & Password”.
When you click “Sign Up” Button the user is taken to Dashboard No Confirmation, No Verification nothing & i was just shocked to see because this is what i wanted “NO VERIFICATION” because than one can abuse the switch account feature and access other teams/companies just by signing up with there email.
So what i did i created a New Accounts Using my old email address that had an account already on it & Now You can access all other teams on that email using “Switch Accounts” Feature. To verify this once again i created an account using @company.com email and than i simply visited switch account and boom i had access to many teams/companies that email belonged to.
And That’s What all i had to do to Takeover Any User Account Just by knowing Their EMAIL.
- Always check if the site signup feature asks for verification
- Read feature docs to understand how the feature works (In this the Switch Accounts feature was actually meant for People who are a part of multiple teams)
Thanks for Reading 🙂