Hi fellows , Today I gonna share a weird account takeover bug I found few months ago in a digital mortgage company . Before that because of privacy reason and also it was a private program I can’t say the name . Instead of that I will use privatesite.com to continue the blog.
So, let’s jump into technical details . When you performing a recon above small scoped program you have to look at each and every functions and operations . Following that I found an option to create Agent account . Agent account is a type of account where you can create buyer information with data and send them to the company for recommendation .
Now, while creating account of an agent user , things you have to do is enter first name , last name , phone number and brokerage company name and submit it.
After submit , you will redirect to the agent user panel without asking for password protection.
After redirect to the agent account panel the URL looks like
privatesite.com/agent/brokerage_name/username . Now because of that no password protection, if any user visit that agent account link with valid brokerage_name and username, user will get the agent account panel without facing any problem and able to create and send buyer information to company .
Just a simple observation and boom found account takeover bug marked as P2 .
Awarded nice amount of bounty 😉
Thanks for reading .