Account takeover is a pushover
Security researcher Scott Helme has turned up a dumb password reset bug in UK energy company Ecotricity’s car charging app.
The bug is in the app the company provides for users of its network of ‘leccy car recharge points: it had a bad user enumeration bug that would let an attacker reset someone else’s password and therefore take over their account.
As Helme explains, when a user hits the password reset, the app returns a token to their browser – and that’s the same token that lands in the e-mail the app sends:
“The Reset Password button contained a link as you’d expect and was for the following address:
https://www.ecotricity.co.uk/ecovalidate/token/3119efbec979b11544fd809b75d5467a
“The token on the end of that address may look familiar and it is indeed the token returned by the initial API request to start a password reset for the provided account! Oopsie!”
Why is that an error? Because all the attacker would now need is a user ID or e-mail address to get a reset token for the victim, without needing access to the victim’s e-mail, because the attacker would have the same token as would land in the e-mail.
Given his suspicion that the rest of the Ecotricity API might not have had the scrutiny it needs, Helme has posted his mapping of the API to https://github.com/ScottHelme/Ecotricity-API GitHub.
The company fixed the bug after receiving Helme’s report.
Helme’s previous work we’ve covered included a slip in the Nissan Leaf owner’s app; an information leak in the Hotel Hippo Website; and badly-secured EE BrightBox routers. ®
Sponsored: Global DDoS threat landscape report

Leave a Reply