How A bit of observation gave me my Second Account Takeover

I really like Account Takeovers So when I test any Website It is my first choice to test :)

So I decided to test a Letter of recommendation Program, When I first visited the Application, It was an Online learning application filled with Linkedin like features.

So without wasting any time I started to make an account for myself.

When I was doing that I noticed a page where we have to set a password for our account

But the fun was the url

target.com/something/reset/{ID}/something

you guessed it don’t you?

IDOR on ID parameter right?

So I quickly made another account and copied that ID and replaced it with ID parameter and guess what I was able to change password for associate ID

Simple right? :)

That’s how a little bit of observation can give you critical BUGs.

If you like this article then give a clap :)

Instagram : https://www.instagram.com/sarans0x00h/

MY bug hunting guide : https://instagram.com/sachin_kalkumbe