Critical: Account Takeover via Interesting Logic Issue $$$$

Hamzadzworm
4 min readNov 3, 2024

--

Hi again , My name is abdelkader mouaz and also know as Hamzadzworm

“Today, I’ll share an interesting finding that allowed me to takeover any account for any user in company”

I received a private program invite, so I started investigating. I noticed that you can only log in with a PIN code, not a password. Every time you attempt to log in, a 6-digit PIN code is sent to use instead of a password.

There’s a rate limit on attempts, which block me from brute-forcing the code, though it’s still somewhat challenging.

I started using my account like a regular user and noticed that whenever I changed my email, the system logged me out. To log in again, a 6-digit code is sent to the new email I provided.

As I continued investigating, I discovered another subdomain where I could log in using the same credentials I used on the main domain. I attempted to open my account on two different subdomains and change my email, but it failed because the system enforced a forced logout on both domains.

After further testing, I found out that they offer a paid business service, and I began thinking about potential ways to exploit it.

  1. I created a new business account.
  2. I invited my main account as an admin to this business account.

3.Since my main account is a regular (non-business) account, I now have the option to switch between my personal account and the business account where I was invited as an admin.

If I open my main account on two different domains, it usually disconnects one session. To bypass this forced logout, I first open my main account in the main domain as a personal account, then switch it to business mode in the second subdomain where it’s set as an admin for (another account).

Next, I change my email in the main domain, causing it to disconnect. However, in the second tab (where I had switched my account to business mode), I switch it back to personal mode. This action retains my session without disconnecting, despite the email change.

Then, when I try to update my email, I encounter an “email already exists” error. I bypass this restriction by adding %20 (URL-encoded space) at the end of the email.

Here are the streamlined steps:

  1. Register a personal account in the main domain.
  2. Register a new business account in a different tab.
  3. Invite my personal account as an admin from the business account.

4.My personal account gains a new feature that allows switching between personal and business modes.

5.I log in with my main account on the main domain.

6.I then log in again with the same account on a second subdomain in a new tab and switch it to business mode which is an admin for (another account)

7.I change my email to one that already exists on the main domain, adding a space (%20) at the end to bypass the "email already exists" check.

8.My account is logged out from the main domain due to the email change, but it remains logged in on the second subdomain because it’s in business mode , not personal.

9.I switch back to personal mode on the subdomain, and I was logged in directly to the victim’s account whose email I entered. :)

Result:

i hope you enjoyed this write up

see you in comming write ups :D

--

--