Declined
Last Updated: 03 Apr 2024 15:24 by Sagar
Sagar
Created on: 01 Apr 2024 18:08
Category: UI for WinForms
Type: Bug Report
0
Account Takeover
# Vulnerability Report: Account Takeover via Email Change Functionality

## Summary:
During security testing of the email change functionality on the Telerik website, it was discovered that the application can be vulnerable to an account takeover attack. The vulnerability allows an attacker to change the email address associated with an account to their own email address, effectively taking over the victim's account.

## Vulnerability Details:
- **Functionality Description:**
  - The Telerik website provides a functionality for users to request a change in their email address.
  - This functionality consists of two sections: current email and new email.
  - The current email is not accessible from the user interface, while the new email can be inputted by the user.
  - After inputting the new email and clicking the "Change Email" button, the user's request is processed.

- **Attack Scenario:**
  1. **Attacker Inputs Their Email:** The attacker inputs their own email address in the new email section.
  2. **Intercepting the Request:** Using interception tools, the attacker intercepts the request before it is sent to the server.
  3. **Modifying the Request:** The attacker modifies the request to replace their own email address with the victim's email address in the current email section.
  4. **Consent Form Manipulation:** Additionally, the attacker can manipulate the consent form associated with the email change request to gain access to the victim's account without their consent.
  5. **Changing the Email Address:** The modified request is forwarded to the server, resulting in the victim's email address being changed to the attacker's email address.



## Impact:
- **Account Takeover:** The vulnerability allows an attacker to take over the victim's account by changing the email address associated with it.
- **Data Access:** Once the attacker gains access to the victim's account, they may have unauthorized access to sensitive data and functionalities associated with the account.

## Mitigation Recommendations:
- **Input Validation:** Implement strict input validation to ensure that only legitimate email addresses are accepted in the new email section.
- **Consent Verification:** Require additional verification steps, such as email confirmation or user authentication, before processing email change requests.
- **Session Management:** Implement session management mechanisms to detect and prevent unauthorized access to account settings and functionalities.
- **Security Awareness:** Educate users about the risks of phishing attacks and social engineering tactics used by attackers to gain unauthorized access to accounts.

## Affected URL:
- Email Change Functionality: [https://www.telerik.com/account/support-center/email-change](https://www.telerik.com/account/support-center/email-change)

## Conclusion:
The discovered vulnerability poses a significant security risk to Telerik website users by allowing attackers to take over accounts through manipulation of the email change functionality. It is imperative for the development team to address this vulnerability promptly by implementing appropriate security controls and mitigations to safeguard user accounts from unauthorized access.

**Best Regards,**
Sagar Dhoot
Attached Files:
4 comments
Sagar
Posted on: 03 Apr 2024 15:24
Thank you for clarification and the points. I'll make sure to make a proper and detailed POC and explanation in future.
ADMIN
Lance | Senior Manager Technical Support
Posted on: 03 Apr 2024 15:12

Hello Sagar,

Our triage investigation has concluded, thank you for your patience. I am following up with you to share our findings.

Findings

After careful review of all systems involved, we have concluded this report does not describe a viable Account Takeover (T1098) technique. Here are a few statements to explain the finding.

1) The submission form, which you are modifying the HTTP request’s content, is not connected to any account database or critical systems. It is simply a tool to help you open a ticket quicker by pasting in the content.

There is no difference between opening a ticket yourself to type in this information manually or using the form to paste it in for you. To explain this further with evidence, here is a screenshot of when you submitted your modified form. 

Notice “attacker@gmail.com” is plainly visible in the content of the support ticket (i.e. the HTTP request modification does not obscure the value in the ticket). At no time is the attacker email hidden from the content, this is identical to any manual request for account detail changes.

2) Even if a MITM attacker changes the body of the request, an account representative has to always manually reviewed the request details with the account holder and requires legal/business proof of ownership. This is not an automated process and has never been directly connected to any account systems.

3) This attack vector is a MITM-like attack (man in the middle) where the request was modified between the user’s submission and the endpoint the HTTP request is received. MITM attacks are out of scope of our bug bounty program, please see the VDP Pro: Progress Software - DevTools - Bugcrowd Out of Scope list.

Conclusion

I would to still like to thank you for taking the time to open this report. It has brought to our attention a web page on our site that is no longer used anyways, we will remove it in a future update to Your Account to avoid any future confusion. For bringing this to our attention, I have awarded your account with some Telerik Points as a small gesture of appreciation.

Thank you again, have a great rest of the day.

Regards,
Lance | Manager Technical Support
Progress Telerik

Love the Telerik and Kendo UI products and believe more people should try them? Invite a fellow developer to become a Progress customer and each of you can get a $50 Amazon gift voucher.

Sagar
Posted on: 02 Apr 2024 13:09
Alright thanks for message. I'll surely use Bugcrowd as a medium for submitting the bugs in future.
ADMIN
Lance | Senior Manager Technical Support
Posted on: 02 Apr 2024 12:39

Hi Sagar,

Thank you for taking the time to open this. We have started our investigation and will get back to you with our findings within our security report response windows.

  • First Response: 7 days
  • Time to Triage: 10 days
  • Time to Resolution: depends on severity and complexity

I will respond to you in this thread once we've concluded the triage.

Future Recommendation

Since you are a security researcher and not a customer, we have a better method of report submission for you to use. In the future, please consider using our official program to submit reports. 

  • Bug Bounty Program: VDP Pro: Progress Software - DevTools - Bugcrowd 
    • Important: Before pursuing please take care to see what categories are out of scope and not considered for Safe Harbor.
  • Submission instructions: Vulnerability Reporting Policy (progress.com)
  • For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.

Through BugCrowd, we can officially recognize you for your contributions, as well as adhere to industry standards.

Regards,
Lance | Manager Technical Support
Progress Telerik

Love the Telerik and Kendo UI products and believe more people should try them? Invite a fellow developer to become a Progress customer and each of you can get a $50 Amazon gift voucher.