To The Point Version:
I hacked the Forgot Username functionality by adding an extra email parameter in the POST request, and the application sent me all the usernames attached to the victim’s account.
Whole story:
So, in this blog post, I’ll share an interesting bug that I have found in Xandr(AT&T subsidiary in the past, now owned by Microsoft). I am disclosing the target because of 2 reasons: 1) The program was public. 2) All the issues has been fixed.
There is a Forget Username functionality, which essentially allows users to extract all usernames associated with an email address, as its name suggests. And then the user can use one of the usernames and do a password reset for that user.
Back then, one of the first things for me to test on a website was the “Forgot Password” flows, and naturally, I started to test the forgot password flow for this target as well. So, in order to fully test the password reset, I first needed to test Forgot Username flow.
The first challenge to test it was to get a valid email because the application was showing below popup for valid/invalid email:
I did some GitHub dorking, and after some time I was able to find a valid company email address for this application and yeah, a free password with it as well lol which I, of course, reported to them. I try to remain ethical. 😉
So back to hacking, after applying techniques including host header injection, referral link manipulation, adding array of emails etc. I was going out of ideas. Then I just added an extra email parameter in the request for no reason, and give it a try:
And to my surprise, it worked 😀
Now I got butterflies in my stomach, and open the HackerOne program to report this issue and then will work on further exploitation.
But those butterflies flew away very fast, as I came to know Xandr doesn’t come under the bug bounty scope of AT&T.
Nonetheless, it was fun and I learned a new trick that day. So, in a way, it was worth it. 🙂