New Method to Change Passwords Without Knowing the Old Password in android application

Introduction:

In today's interconnected world, the security of our online accounts is of paramount importance. Many applications incorporate a password change functionality to enable users to update their passwords periodically. However, some applications may inadvertently expose vulnerabilities, allowing attackers to exploit weaknesses in their security measures. In this blog post, we will discuss a particular vulnerability associated with a password change functionality that allows unauthorized individuals to change passwords without proper authentication.

Description:

The vulnerability we will be exploring involves an application that utilizes HTTP requests to facilitate password changes. Within these requests, two parameters are present: "oldpassword" and "newpassword." Ideally, the application should require the user to provide the correct old password before allowing them to change it to a new one. However, due to inadequate validation or authentication measures, an attacker can manipulate the HTTP request and bypass the necessary security checks.

Impact:

The impact of this vulnerability can be far-reaching, exposing both users and the application itself to various risks:

Unauthorized Account Access: Attackers can gain access to user accounts without possessing the actual old password. This could result in compromised personal data, unauthorized transactions, or the ability to impersonate the user.

Data Breaches: If users employ the same password for multiple accounts, attackers can exploit this vulnerability to access other platforms or systems, potentially leading to data breaches across various domains.

POC:

1. Open the Android app and select the password-changing option.

2. You now have three password fields. There are three password options: old, new, and confirm. 

3. Add any "abcd" to the old password field, then enter your new password and validate the new password field.

4. After submitting and capturing the request, update the password field from the old one to the new one.

5. Turn intercept off now to reveal the password change.

Mitigation Strategies:

Application developers and organisations should think about putting the following strategies into practise to solve this vulnerability and improve the security of the password changing functionality:
 

Secure Authentication: Strengthen authentication by adding extra verification processes, including email confirmations, two-factor authentication (2FA), or biometric authentication.
 

Implement stringent validation procedures to make sure the old password provided in the HTTP request corresponds to the user's genuine old password.

Encryption and Secure Protocols: To safeguard sensitive information communicated during the password changing process, use encryption methods and secure connection protocols like HTTPS.

Conclusion:

The vulnerability discussed in this blog post highlights the significance of robust security measures in password change functionalities. By understanding and addressing these vulnerabilities, application developers and organizations can protect their users' sensitive information and maintain the trust of their user base. A comprehensive approach that combines secure authentication, parameter validation, encryption, user education, and regular security audits is essential to mitigating such risks and ensuring the integrity of online accounts.

Application owner fixed my reported bug