Heyoo everyone,
I'm Ahmed Aamer (mickoz), and today I'm sharing my second write-up.
This time, I'll walk you through how a simple detail in a password reset flow turned into full control over the content of emails sent through an official communication channel.
Let's dive in! :))
Discovery
While exploring targets on HackerOne, I came across a program with a large wildcard scope.
After enumerating subdomains using subfinder,
subfinder -d example.com
I came across this site, redacted.sandbox. Usually, sandbox environments tend to have more security issues than production ones, so after testing the main features of the application, I decided to focus on the password reset functionality.
I started by sending a "Forgot Password" request and intercepting it through Burp Suite.
POST /api/auth/auth-send-reset HTTP/2
Host: redacted.sandbox
Content-Type: application/json
{"email":"xxxx@outlook.com","lang":"en"}I tried some header injection techniques, but nothing worked.
While reviewing the email I received, I noticed the password reset link looked like this: www.redacted.com/en/forgotpassword?=xxxxx
At first, I tried multiple approaches to modify the request through Burp, but nothing worked until I added XX to the lang parameter in the request.
POST /api/auth/auth-send-reset HTTP/2
Host: redacted.sandbox
Content-Type: application/json
{"email":"xxxx@outlook.com","lang":"enXX"}
Then I opened the email and saw it reflected like this: www.redacted.com/enXX/forgotpassword?=xxxxx
That's when I realized I could control part of the reset link.
I tried to inject another link, but it didn't work; it just got appended to the original link. When clicked, it redirected to a 404 Not Found page. At that point, there didn't seem to be any real security impact.
After hours of attempting XSS, HTML injection, and open redirect techniques, nothing worked; everything was properly encoded.
At this point, I had reached a dead end. Every attempt resulted in properly encoded output, and I couldn't find a way to break out of the structure of the email or the reset link itself.
Then I started thinking: what if I added a new line using \n, something I've used a lot before in JavaScript :V ?
Bingo!
It worked, and it was reflected in the email like this:
After that, I decided to craft a full payload to make it more realistic.
Final Payload
"lang":"en/invalidlinkfromtheATTACKER\n\nIMPORTANT: If the link does not work, use:\nhttps://evil.com/reset"
This issue goes beyond a simple injection. An attacker can send fully controlled content to any victim using only their email address, without verification. Because it's delivered through an official Government email channel, it carries strong trust, making it a reliable phishing vector.
That was the final payload delivered through the original channel.
Hi, We received a request to reset your password on redacted. If you didn't request this email, you can ignore it — your password has not been changed.
To reset your password, use this link (expires in 10 minutes): https://redacted.sandbox/en/invalidlinkfromtheATTACKER
IMPORTANT: If the link does not work, use: https://evil.com/reset/reset-complete?
looking forward to sharing more in the future.
X : m1ckoz
Linked In : mickoz
FB: mickoz