Account Takeover via Email Confirmation

It’s the second account takeover I’m finding on a client pentest in the span of a few days. I’m not sure wth is going on…

I’m going to try to be as short and to the point as possible because I don’t enjoy writing as much as I used to.

1. User registers an account => They receive an email to “Confirm account”.
2. The email contains a confirmation link that looks something like (all the parameters have been redacted for obvious reasons):

https://url202310322.redactedexample.com/rxy/suk?mda=verylongENCRYPTEDstring

3. Clicking the link opens another window and the URL gets decrypted into:

https://webapp.redactedexample.com/sdy/confirm?uid=<uuid>&auth=<somelongcode>&return=/

4. This page says “Email confirmed” => “Click to continue”. Clicking redirects the client to the “return” URL.

5. As you might guess, the “uid” is insufficiently validated because inputting another user’s “uid” leads to account takeover.

Not only does the “uid” lack validation, but also the “auth” code should have been invalidated after the first use. But it has not been invalidated because I’ve been able to use it multiple times, thus taking over multiple users’ accounts (different test accounts that I created).

Even though the “uid” is UUID 4 and is not easily guessed or reverse-engineered, this is still a critical issue, especially in the context of highly-targeted attacks.