Hi, I am Godson
The Story Of Account Takeover in Fastmail Company : \
What is Fastmail?
Fastmail is a privacy-friendly Gmail alternative. Get the best email features, without Google’s creepy surveillance. Fastmail replaces Gmail for people who care about privacy. If you want something easy to use that isn’t tied to one of the big tech giants, Fastmail is a great option
Bug: Account Takeover
User Interaction Required : False (May be True?)
Yes, User Interaction needed, but not like social engineering or chaining Bugs in fastmail.com
The Flow of the Application:
As usual, A User can create a Account for free and Use their application(Mail service).
Application allow user to reset their password, if they forgot.
Reset Password Page Looks Like this!
After Entering the email,
Hmm, There is a skip Button. I clicked the Skip button.
Next Page Looks like,
Yes, Application Allowed me to change my password without any verification!
Wait, This is not what I reported!
Look Closer to that Image!
Then, I asked My Brother to Create a New Account and send that email id.
OK, then I tried with that email id. (From Brother)
Response From the Server,
Hmm, here I thought the application Verified me by Checking My IP. Am I right?
So, I connect to a VPN and tried again.(with My account)
Response From Server:
Hmm, I am Wrong. Application is not Verifying Users by IP address.
Then How? Sudden Strike “May be User-agent” Header?
Then, I Switched to another Browser and tried with my email ID.
Yes, The Server Failed to Verify Me Identity.
Response From the Server:
This Method of verification is Secure???
Only By Knowing others user-agent, An Attacker can Able to Reset the Password.
Heckur Mode ON!
I Started My Ngrok and Send that Link to my brother. (who created another Account)
He, Clicked that Link:
I Copied the User-agent and Replace with my User-agent (Here, I am Using My brother Mail id)
After Replaced the my User-agent with my brother user agent!
Then, I Forwarded the Request
Response From The Server
WoW, It Works
I report the Bug,
What? May is not a Bug? (May be Not a Secure Design I think?)
Again I Replied:
Then the Response :
Then, I realise that Something is Sus. here. ^ _ ^
Hmm, I tried to Reproduce the bug.
But, Sadly The Bug Was Fixed.
Then I Asked them,
Hi. You said that, this is not a bug, but now this bug is fixed. What you are going to tell for this activity?
Hmm. I am Just Broken
Any Way, Share Your Thoughts in comments in comment Box.
Full PoC : https://www.youtube.com/watch?v=mscPpYyWcDA