How did I found Account Takeover Vulnerability (ATO) on takeuforward.org

How it all started

While browsing YouTube for DSA videos, I came across TakeUForward, a channel run by Raj Vikramaditya, popularly known as Striver. I noticed they had launched a DSA platform recently — about a month old at the time. Curious, I decided to dig into the website to see if I could uncover something juicy bug!

ok let’s find juicy bug

I took mine weapon (burpsuite) and i went to takeuforward.org, At homepage i saw login option. and i thought it’s good point to start and started intercepting requests.

Before reading i just wann to tell it’s my first article. tell me how it was

on login page i saw Forgot Password?. since i have reading many article and figured out that most of the time forgot password is vulnerable. and thought let’s test this functionality.

it was asking for email and i entered mine email and clicked on submit button. since i already made account on platform.

they sent otp on my email.

Here’s juicy thing’s i noticed

here we have to enter otp and new password. if otp is valid then we’re able change password.

and i entered 569656(it’s random otp) and entered random password to observe request.

if you carefully observe cookie on request. it has otp key. which is strange to see. Since i have never seen something like that.

On decoding otp key it was hash string. I took help of chatgpt and got to know that it was bcrypt. Then just googled about bcrypt to gain some info about it. The hashed otp string was cost factor of 12

hashed otp string looked like,

$2a$12$VI1/nmpcWUkeku8p63QIDe2lABr1S39U.f0GO0As.4hHfhU7dloz

and i just assumed what if this hashed otp is actual otp that is being sent to email for verification. it’s mean that it verify otp on client-side.

i thought if this is the case i can do something here.

How otp verification was working for this case:

Server send otp on user email and store hashed otp form on cookie then compare with user entered otp. if they both match user able to change password.

After knowing this. I had figured out that how to bypass it.

How did I verified random otp

Since i know the cost factor of hashed otp. i went to bcrypt generator site and generated hash for 569656(it’s random number) with cost factor 12.

and on the request i replaced new hash with old otp hash.

Success

Then i sent modified request to server. and guest what it worked.

I successfully changed account password without knowing actual otp which means i able to login any user’s Account.

After Finding this vulnerability i started writing report for takeuforward engineer team.

For video POC i used striver’s account to show impact of vulnerability.

Timeline

16 august 2024 — reported

23 august 2024 — bug fixed

28 august 2024 — got reward

Well guy’s you wanted to know reward for this critical security vulnerability. since i asked them for their DSA Pinnacle subscription which worth 7500/- inr and they provided.

I know i can ask for more. To be very honest i was expecting nothing after reporting vulnerability report. still I’m happy to get reward.

It was my first critical vulnerability that was recognized.

I hope you learned something new here.

We’ll meet again in another article. Until then, keep discovering juicy things on the internet !!

Thank you for reading.

Raj Ukani,

Linkedin: rajukani100

Twitter : rajukani100

It was educational purpose only, intended to raise awareness about potential vulnerabilities and emphasize the importance of secure coding practices.