Exposure of “Forgot Password” Token on Comments Controller Leads to Account Takeover
Discription

Hello there! Hope you are doing great!

#

# Description
While digging into your app’s source code, I noticed that the `getComment()` function, that can be found on CommentController, had an IDOR, but when I went to an actual instance of Tooljet and tested it, I noticed that it’s way worse than that! ?

#

This function returns not only the comment’s data, but it also `returns sensitive data about the user who created the comment`. This includes their passwords’ hash and `their “forgot password” token, which allows an attacker to simply just change a victim password and log into their account`.

# How to Reproduce

1 => Create two different accounts. It works whether they are from the same tenant or not, but if so, you will be able to find the comment in the UI;

2 => While logged in as the victim, go to one of your apps and make a comment in it. Then, store the id of this comment for later;

3 => Now, unauthenticated, but impersonating the attacker, go to the forgot password functionality and put the e-mail of the victim, so that the forgot password token can be generated;

4 => Login as the attacker, and make a GET request to `/api/comments/id-of-victim-comment-here`. It will return some data about the user, such as their email, hashed password, and also their forgot password token!

5 => Log out and go to `/reset-password/forgot-password-token-here`. Define the new password you want for the victim account, and boom! Now you got access 🙂Read More

Back to Main

Subscribe for the latest news: