## Summary:
During security testing of the email change functionality on the Telerik website, it was discovered that the application can be vulnerable to an account takeover attack. The vulnerability allows an attacker to change the email address associated with an account to their own email address, effectively taking over the victim's account.
## Vulnerability Details:
- **Functionality Description:**
- The Telerik website provides a functionality for users to request a change in their email address.
- This functionality consists of two sections: current email and new email.
- The current email is not accessible from the user interface, while the new email can be inputted by the user.
- After inputting the new email and clicking the "Change Email" button, the user's request is processed.
- **Attack Scenario:**
1. **Attacker Inputs Their Email:** The attacker inputs their own email address in the new email section.
2. **Intercepting the Request:** Using interception tools, the attacker intercepts the request before it is sent to the server.
3. **Modifying the Request:** The attacker modifies the request to replace their own email address with the victim's email address in the current email section.
4. **Consent Form Manipulation:** Additionally, the attacker can manipulate the consent form associated with the email change request to gain access to the victim's account without their consent.
5. **Changing the Email Address:** The modified request is forwarded to the server, resulting in the victim's email address being changed to the attacker's email address.
## Impact:
- **Account Takeover:** The vulnerability allows an attacker to take over the victim's account by changing the email address associated with it.
- **Data Access:** Once the attacker gains access to the victim's account, they may have unauthorized access to sensitive data and functionalities associated with the account.
## Mitigation Recommendations:
- **Input Validation:** Implement strict input validation to ensure that only legitimate email addresses are accepted in the new email section.
- **Consent Verification:** Require additional verification steps, such as email confirmation or user authentication, before processing email change requests.
- **Session Management:** Implement session management mechanisms to detect and prevent unauthorized access to account settings and functionalities.
- **Security Awareness:** Educate users about the risks of phishing attacks and social engineering tactics used by attackers to gain unauthorized access to accounts.
## Affected URL:
- Email Change Functionality: [https://www.telerik.com/account/support-center/email-change](https://www.telerik.com/account/support-center/email-change)
## Conclusion:
The discovered vulnerability poses a significant security risk to Telerik website users by allowing attackers to take over accounts through manipulation of the email change functionality. It is imperative for the development team to address this vulnerability promptly by implementing appropriate security controls and mitigations to safeguard user accounts from unauthorized access.
**Best Regards,**
Sagar Dhoot
Hello Sagar,
Our triage investigation has concluded, thank you for your patience. I am following up with you to share our findings.
Findings
After careful review of all systems involved, we have concluded this report does not describe a viable Account Takeover (T1098) technique. Here are a few statements to explain the finding.
1) The submission form, which you are modifying the HTTP request’s content, is not connected to any account database or critical systems. It is simply a tool to help you open a ticket quicker by pasting in the content.
There is no difference between opening a ticket yourself to type in this information manually or using the form to paste it in for you. To explain this further with evidence, here is a screenshot of when you submitted your modified form.
Notice “attacker@gmail.com” is plainly visible in the content of the support ticket (i.e. the HTTP request modification does not obscure the value in the ticket). At no time is the attacker email hidden from the content, this is identical to any manual request for account detail changes.
2) Even if a MITM attacker changes the body of the request, an account representative has to always manually reviewed the request details with the account holder and requires legal/business proof of ownership. This is not an automated process and has never been directly connected to any account systems.
3) This attack vector is a MITM-like attack (man in the middle) where the request was modified between the user’s submission and the endpoint the HTTP request is received. MITM attacks are out of scope of our bug bounty program, please see the VDP Pro: Progress Software - DevTools - Bugcrowd Out of Scope list.
Conclusion
I would to still like to thank you for taking the time to open this report. It has brought to our attention a web page on our site that is no longer used anyways, we will remove it in a future update to Your Account to avoid any future confusion. For bringing this to our attention, I have awarded your account with some Telerik Points as a small gesture of appreciation.
Thank you again, have a great rest of the day.
Regards,
Lance | Manager Technical Support
Progress Telerik
Love the Telerik and Kendo UI products and believe more people should try them? Invite a fellow developer to become a Progress customer and each of you can get a $50 Amazon gift voucher.