0-Click ATO via forgot password
https://bugcrowd.com/engagements/rapyd
Here’s how it went down:
Registered my dummy
victim@email.com(The goal is to takeover that account whatsoever)I entered that email on
https://[redacted-portal].rapyd.net/forgot.Intercepted the request with Burp Suite.
Bypassing reCAPTCHA: The server responds with POST request immediately without solving the captcha.
Step 3: Noticed the backend used JSON parameters. Hmm… What if I tamper with these?
Step 4: Duplicated the
emailfield in the JSON payload:
POC:
5. Sent the request.
Then after a moment....
.
.
.
And The password reset link of victim's email landed on attacker's email inbox just like that! even though attacker@gmail.com wasn’t registered on the platform in first place!
☠️ Password reset link for victim@email.com was delivered to attacker@email.com despite:
Attacker email not being registered in Rapyd
Victim email being the legitimate account
Technical Analysis:
Vulnerability Type: JSON Parameter Pollution
Root Cause: Backend parser processing both email parameters instead of rejecting duplicates or using last occurrence
Rarity Factors:
Most JSON parsers either reject duplicate keys or prioritize the last instance
This implementation unusually: a) Processes first email to identify the victim account b) Uses second email for reset link delivery
Critical impact achieved without requiring attacker email registration
This wasn’t just a bug, it was a business-critical flaw. Attackers could hijack any account, drain funds, or disrupt entire companies.
Other Methods:
https://www.youtube.com/watch?v=8vWc15KcKGs&list=PLYq73lsQ7MT3FokfqmqAsjPQhhKZNbGF0
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Account%20Takeover
https://bugcrowd.com/engagements/rapyd/hall_of_fames
That's it for this section and thanks for reading! 👋
Last updated