Authentication Weakness Leading to Persistent Account Takeover

Introduction:
I discovered a critical security weakness in the authentication system of a digital service that allows attackers to gain persistent control over user accounts. This vulnerability exists due to flaws in the authentication process and session management.

Vulnerability Explanation:
The service offers a quick login feature using QR code scanning, designed to simplify user experience. However, I tested this mechanism and found that it does not require user confirmation, making it possible for an attacker to hijack an account with minimal effort.

Exploitation Steps:
1. I opened the login page of the service.
2. A new QR code was generated, containing a login link specific to the user (with a format like https://target.com/device/XXXXXX).
3. I extracted the link and sent it to the victim.
4. Once the victim opened the link, they unknowingly granted me access to their account.

More Critical Aspects of the Vulnerability:
- After a successful login, the authentication token assigned to the victim’s account remained valid even after they logged out of the main platform.
- This token could also be used on the primary service, leading to a full and persistent account takeover.
- The session management system was not properly implemented, meaning the victim had no way to forcefully terminate the attacker’s access.

Conclusion & Recommendations:
This vulnerability has severe implications for user privacy and security. To mitigate this issue, the following measures should be implemented:
- Adding an additional confirmation step before granting access via QR code (such as email or SMS verification).
- Invalidating authentication tokens upon user logout.
- Implementing an effective session management system that allows users to terminate all active sessions.
- Restricting authentication tokens to specific services only.

I tested this vulnerability and confirmed that without a proper fix, attackers can easily hijack user accounts and maintain unauthorized access.


more:
t.me/rootdr_research

New Tool Release: ex-redirect – Automated Open Redirect Finder

https://github.com/rootDR/ex-redirect

I'm excited to announce the release of ex-redirect, a powerful tool designed to help you identify open redirect vulnerabilities using archived URLs from the Wayback Machine.

Key Features:
- Scans historical URLs for potential open redirects
- Supports subdomain enumeration
- Filters out WordPress-related paths
- Option to check for live URLs
- Saves results organized by subdomain

Usage:

python ex-redirect.py -t example.com -s -l -wp

- -t: Specify the target domain
- -s: Include subdomains in the scan
- -l: Check if the URLs are live
- -wp: Exclude WordPress-related paths

Output:
Results are saved in a directory named after the target domain, with separate files for each subdomain containing potential open redirect URLs.

Author: rootdr
Twitter: @R00TDR
Telegram: https://yangx.top/RootDr

Feel free to share your feedback and contributions!

ex-backup is an open-source tool designed to identify exposed backup files on websites. This tool leverages multithreading for speed, customizable wordlists for targeted scans, and smart filters to detect valid backup files, helping you uncover vulnerabilities caused by exposed backups.

Key Features:

Scan single or multiple domains for backup files with common extensions like .zip, .sql, .tar

Use custom wordlists to generate potential file names

Analyze HTTP responses to identify downloadable backup files

Save valid backup links in timestamped files for later review

Check it out on GitHub:
🔗 https://github.com/rootDR/ex-backup

Join our channel for more security tools and bug hunting resources:
🔗 https://yangx.top/rootdr_research

#BugBounty #CyberSecurity #BackupFiles #PenTesting

جاهایی که rate limit روی شماره کار میکنه، میتونیم با اضافه کردن + به +98 بایپسش کنیم.

#rate_limit_bypass

دوستان مراقب باشید
با دقت و مطالعه دقیق شرایط قرار داد با اینطور پلتفرم ها همکاری کنید
هکروان جدیدا خیلی خیلی سختگیر تر شده.

Hi everyone,
I’ve created a Python script that deeply scans and extracts subdomains from JavaScript files, CSP headers, and raw HTML of a target website.

Unfortunately, I currently don’t have access to my GitHub account, and I’m not sure if I’ll be able to recover it.
So for now, I’m sharing the script here with you — feel free to use it while I work on recovering my GitHub or creating a new account.

pip install requests beautifulsoup4

Usage:

python ex-js.py -d example.com

Stay tuned for more tools and research!
🔗 https://yangx.top/rootdr_research