How I found a simple and weird Account takeover bug

Hi fellows , Today I gonna share a weird account takeover bug I found few months ago in a digital mortgage company . Before that because of privacy reason and also it was a private program I can’t say the name . Instead of that I will use privatesite.com to continue the blog.

So, let’s jump into technical details . When you performing a recon above small scoped program you have to look at each and every functions and operations . Following that I found an option to create Agent account . Agent account is a type of account where you can create buyer information with data and send them to the company for recommendation .

Now, while creating account of an agent user , things you have to do is enter first name , last name , phone number and brokerage company name and submit it.

This is how agent account is created

After submit , you will redirect to the agent user panel without asking for password protection.

my reaction when I see it

After redirect to the agent account panel the URL looks like privatesite.com/agent/brokerage_name/username . Now because of that no password protection, if any user visit that agent account link with valid brokerage_name and username, user will get the agent account panel without facing any problem and able to create and send buyer information to company .

Creating buyer’s information
Sending buyer’s information to company

Just a simple observation and boom found account takeover bug marked as P2 .

Awarded nice amount of bounty 😉

Thanks for reading .

Leave a Comment