Home > Cloud Computing > Cloud Security

07073 modify the password of any user on the game Network

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

You only need to enter an EMAIL address to retrieve the password.
First, we should find a target in the forum. Well, it's him, ID1, and modern people who are outdated.
 
We entered the outdated modern people in the pass retrieval password field and entered the verification code.
Then there is a chicken hole in the vulnerability, and the user's EMAIL address is directly sent through the GET method. Well, we will know his EMAIL address.
 
17 ***** @ qq.com
 
 
 
 
Next, we need a controllable EMAIL (nonsense) to retrieve the password of our account and get a password reset address.
 
We can enter a modified password, and then confirm to cut the package!
Change your EMAIL address to the EMAIL address of ID1 above!
 
 
 
 
Okay, it's successful.
 
 
 
 
=
And then the first-to-Second Channel ~ Enter the pass ~~
 
 
 
 
Then the Forum
 
 
 
 
The password on the background of the Forum is changed to the password above... 600 million + users.
 
 

 
Ps. It seems that the Forum has not been patched for a long time ......

.
Solution:

The user's email address is not directly sent when the password is retrieved through the mailbox.
 
Add a TOKEN to the Password Reset page to bind it to the EMAIL address of the password reset, to prevent modifying the EMAIL address and changing the password of others
 
Patch the forum .........
 

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More