Hello Peeps! Here’s is my write-up BUG Account “Takeover VIVA.CO.ID”
What is Account Takevoer / ATO?
The definition of account takeover (ATO) or account takeover fraud is obtaining a legitimate user’s details to take over their online accounts, possibly enabling monetary or credit card theft. ATO can happen with an automated script that enters the credentials en masse or with a human typing them and accessing the account. The goal of ATO is to make a profit using the value of the account.
Sc : https://nudatasecurity.com/resources/blog/what-is-account-takeover/
I Can Login / Account Takeover With Email [Broken Authentication]
Proof of Concept :
- Register VIVA.CO.ID With Account Facebook
- Direct to “Register Provider”
3. Open Burpsuite , And Click “Intercept is on”
4. Change Email Fake To Email Victim
5. Click Forward
Timeline :
Report BUG : 23 Feb 2019
VIVA.CO.ID Respon Bug Valid : 25 Feb 2019
Bug Fixed : 10 March 2019
Reward??? ikgjdhsofoisjfsdd no bruh
Thanks for reading . Happy Hunting .