Password Reset Token Leak

Learn about a critical security vulnerability discovered in a leading German bank's password reset system.

Recently, while working with one of Germany's largest banks, we came across a simple bug that can lead to a high-impact account takeover vulnerability. The important part is that such a bug can easily be missed by automated scanners or tools based testing.

The vulnerability lies in the handling of the X-Forwarded-Host header during password reset requests. Attackers can exploit this by injecting a crafted header containing their own domain. Subsequently, the reset link sent via email to the victim will be manipulated to point to the attacker's domain.

Exploitation Scenario

  1. The attacker crafts a malicious X-Forwarded-Host header, initiating a password reset request on the victim's behalf.

    img1

    Intercepted HTTP request in Burp Suite from the "Forget password" functionality. The custom X-Forwarded-Host HTTP request header is added by the attacker, pointing to an attacker-controlled malicious domain.

  2. The password reset email containing the manipulated link is sent to the victim. Upon clicking the link, the victim is redirected to the attacker's site instead of the bank's.

    img2

    Password reset link received by the victim, displaying the attacker-controlled domain embedded within the link.

  3. The attacker intercepts the password reset token, allowing him to execute a full account takeover.

    img3

    Password reset token leaked on the attacker-controlled server, allowing password change which leads to full account takeover.

  4. Visual representation of the attack flow, illustrating the critical steps.

    img4

Key Takeaways

  • The exploit, rooted in header manipulation, can potentially be manipulated at various points in the multitier architecture systems, where requests may traverse multiple layers or tiers of servers.
  • Similar issues have been identified on many web domains, mostly in cases where reverse proxies or load balancers are involved.

Recommendation

My advice to CISOs, CSOs, and CTOs: Do not, or never, allow your dev team to trust header values coming from intermediary systems or users, specifically the host header. Most IT leaders think Host header injection is a low or informational bug and do not recognize its greater impact. However, potential exploitation may lead to severe consequences, allowing attackers to compromise user accounts.

Disclaimer

This case study is provided to help improve the security of your system and is shared for educational purposes only. No unauthorized access was performed.