Hello from Egypt 🙂
Today I will blog about a Remote Password Reset that I’ve found in one of Yahoo domains/applications.
Vulnerable Domain: https://login43.marketingsolutions.yahoo.com #Now this domain is down for ever.
The case started when I were browsing one of Yahoo advertising pages, and found a “Example” page explaining how to create an advertising account, reset your password etc.
That all were explained using images, one of the images contained a token to reset the user password, it was a test user!
So, I tried OCR on that image to get access to that token.
What is OCR:
Optical character recognition, usually abbreviated to OCR, is the mechanical or electronic conversion of scanned or photographed images of typewritten or printed text into machine-encoded/computer-readable text.
In a Simple words, OCR technology helps you(as example) to extract text written inside images #Simple enough?!
However, after the OCR part and getting the token, I tried to test it and it was a valid token 😀
So, some Googling of the vulnerable file, I found another token cached in Google time machine, and guess what?
It was a valid one also!
Using that token I was able to reset the password of the user that token related to, without being logged-in and without access to that user account.
Just to make it clear, the bug occurs because the user token should be valid only to the same user who have it and not anyone else, but in this writeup you may noticed that I’ve got access to 2 different access tokens and it works!
Below is a video as a Proof of Concept for the vulnerability:
Yahoo has fixed the issue in a short time slot,
عشان منبقاش زي سوريا والعراق 😀
Follow me @twitter.com/zigoo0