My first exploit: a site that allows setting any user’s password

I recently found an interesting vulnerability that allowed any user of a particular website to set any other user’s password.

That’s a big one, right?

It was a bit of fun and I thought might make for an interesting article. You’re about to find out.

Disclaimer: I’m a long way from being a security expert and this was my first foray into SQL injection, so please forgive all naivety found below.

Disclosure: I’m not going to disclose the website in question. Not because I’ve reported it to the site owner and am bound by secrecy, but because I’m going to keep the vulnerability for myself. (If you find the site in question, please do me a favour and keep your mouth shut.)

A photo I took. I was too chicken to go in there. True story.

You know how sometimes you open up DevTools for a site and aimlessly peruse their minified code and network requests, and before you know it the sun has set and your cat is cold? Well, I was doing that on the user profile page of a website and noticed that when I ticked ‘receive notifications’ on and off, it sent a network request like:

/api/users?email=no

And I thought: I wonder if they’re doing anything foolish? Maybe I’ll give this SQL injection thing a try?