Lenovo mall account design defects cause the password to be cracked when the registered email address is known

When a user registers an email, the user's password is first known through XX due to the logic problem during development. Then, the user's account can be logged on to the account.
Then, personal information or something will be leaked.
I didn't look at the payment process. If there is a deposit balance, it should be possible to steal money... (Digital events, you know ....)

In Lenovo official online mall in http://shop.lenovo.com.cn/

First, let's talk about registration. After registration, the user's account and password are sent to the user's mailbox in plain text. If there is a problem with the user's mailbox, there is no pressure to win this account.

 

 

Then I entered the topic. The process of forgetting the password was analyzed as follows:
User: use email to retrieve the password-system: Password Reset to 6-digit full-digit password-system: Reset Password Sent to the user's mailbox-user: log On with the Reset Password-user: change the password in the background of the user center (this step can be omitted)

The process is basically like this. The password retrieval process is amazing. You can reset the user's password without confirmation by providing only one email address and a 6-digit password.

I use my account to perform the experiment.

First, retrieve the password and enter your own email address.

 

 

Then I received an email with the new six-digit password in plain text ....

 

 

Suppose we don't know what the password is...

We came to the login place and looked like we had a verification code. In theory, it should be able to prevent being exhaustive, but unfortunately, this verification code is useless.

We enter the email address, fake password, and correct verification code, and use burp to capture packets.

 

 

Did not carefully study the verification code comparison method, I guess it should be verified with the strings following/openapi/pam_callback/login/module/pam_passport_basic/type/member/appid/B2C/redirect/callback.

Next, we all know how to generate a dictionary with six digits, ranging from 100000 to 999999.

Wait for cracking. The attack time depends on your network status ....

Soon, we can see a special request.

 

It can be seen that 258729 is the Reset Password (different from the password because the figure above is supplemented ..)

We use this password to log on successfully.

 
 

Solution:

Do not send the password to the user in plain text after registration

Change the password retrieval process

Enhance the verification method of the Verification Code

It is best to add an account that has been locked for more than N times a day.