How I was able to Regain access to account deleted by Admin leading to $$$

Hello hackers, I hope you are doing well. Today I’m gonna explain about one of my finding, in which how I was able to access the account that was deleted by Admin. As this was Bugcrowd private program, so I’ll assume it as example.com

So this application has lots of functionalities. There was an option to invite users, and the endpoint was example.com/dashboard/setup/user-accounts. So I thought to give it a shot. Quickly, I sent an invitation to my email address which was rajesh_ranjan+invite1@bugcrowdninja.com, and got the following response, as you can see, it was 201 created

So quickly, I head over to my email Inbox and accepted the invitation > created the username and password, and then visited example.com/dashboard/login, and entered the credentials. So following request and the response was generated

Now I copied that response and pasted it to sublime :D. Again I went to the admin dashboard and deleted the user access from the application

This time, headed to example.com/dashboard/login and tried to login with the same old credentials, and as expected I got the Login failed error

so, I thought, what else we can do now

So, I turned on the Intercept and captured the login Request > Intercepted the response

and modified the response from

To

and then forwarded the request, and to my surprise, I was logged in with that account :P. I quickly reported this to the program, and with a week, I was rewarded $$$ for this submission.

Note: You might be confused about, from where this response came from. So when we accept the invite > create a password and then head over to example.com/dashboard/login > Enter your credentials. at this step, this valid response was generated

Steps to reproduce

Admin side

  1. Go to example.com/dashboard/setup/user-accounts, and enter the user email to send the invitation

User side

  1. check inbox, open the invitation link, and then set the password for your account
  2. now try to login on to example.com/dashboard with the credentials you set in step 1
  3. Now copy the response, and keep it on Notepad

Admin side

  1. comeback to admin side, and delete that invited user

user side

  1. try to login again with the credentials, you’ll get login failed error
  2. intercept the response, and modify it with the earlier one (a valid one), and you’ll be logged in successfully

Timeline:

Reported: 07 Nov 2020

Triaged: 09 Nov 2020

Bounty Received: 14 Nov 2020

Connect me on Twitter https://twitter.com/_rajesh_ranjan_