Tuesday, January 8, 2013

Password Reset Vulnerability in etsy.com

Posted by Yogesh  
Tagged as:
3:36 AM





TitlePassword Reset Vulnerability in etsy.com
Vuln URL
https://www.etsy.com/confirm.php?email=
Author: Yogesh D Jaygadkar
Reported: December 30, 2012
Fixed: December 30, 2012
Public ReleasedJan 08, 2013
 

Description:
In etsy.com, when users reset their password, they receives password reset link which is as below.

https://www.etsy.com/confirm.php?email=[User Email ID]&code=[Token code]&action=reset_password&utm_source=account&utm_medium=trans_email&utm_campaign=forgot_password_1

When I received this mail, I started playing with this link. I noticed that token is not getting validated from server side. So I removed it & tested with my own id. 



Final POC:
https://www.etsy.com/confirm.php?email=[victim user's email ID]&action=reset_password&utm_source=account&utm_medium=trans_email&utm_campaign=forgot_password_1
And Password changed successfully.









Finally I am listed in ETSY Thanks Page. & rewarded with $1500 bounty & T-shirt
Thanks to etsy security team for quick reply. 

Thanks to my friends : Darshit, sandeep, rahul bro, aasim , sagar 

About the Author

Write admin description here..

2 comments:

What they says

Proudly Powered by Blogger.
back to top