Case Study: Password Reset Token Leak
Learn about a critical security vulnerability discovered in a leading German bank's password reset system.
Recently, while working with one of Germany's largest banks, we came across a simple bug that can lead to a high-impact account takeover vulnerability. The important part is that such a bug can easily be missed by automated scanners or tools based testing.
The vulnerability lies in the handling of the X-Forwarded-Host
header during password reset requests. Attackers can exploit this by injecting a crafted header containing their own domain. Subsequently, the reset link sent via email to the victim will be manipulated to point to the attacker's domain.
Exploitation Scenario:
-
The attacker crafts a malicious
X-Forwarded-Host
header, initiating a password reset request on the victim's behalf. -
The password reset email containing the manipulated link is sent to the victim. Upon clicking the link, the victim is redirected to the attacker's site instead of the bank's.
-
The attacker intercepts the password reset token, allowing him to execute a full account takeover.
-
Visual representation of the attack flow, illustrating the critical steps.
Key Takeaways:
- The exploit, rooted in header manipulation, can potentially be manipulated at various points in the multitier architecture systems, where requests may traverse multiple layers or tiers of servers.
- Similar issues have been identified on many web domains, mostly in cases where reverse proxies or load balancers are involved.
Recommendation:
My advice to CISOs, CSOs, and CTOs: Do not, or never, allow your dev team to trust header values coming from intermediary systems or users, specifically the host header. Most IT leaders think Host header injection is a low or informational bug and do not recognize its greater impact. However, potential exploitation may lead to severe consequences, allowing attackers to compromise user accounts.
Disclaimer:
This case study is provided to help improve the security of your system and is shared for educational purposes only. No unauthorized access was performed.