Hello Everyone, Today I’m going to publicly post my first finding “How I could have hacked 1.5 Million Namecheap accounts“. When I was think about to buy a new domain then i started search on internet top domain companies there i saw namecheap also listed in top domain companies. After that i created a account and my mind stuck with to test there security.
Namecheap is an ICANN-accredited domain registrar and web hosting company, based in Los Angeles, California. It is top domain registrar company in these days. It claims to have over 5 million domain names and 1.5 Million Customers.
Description about bug
Whenever a user go to profile and updating primary address then in this request the parameter address.username vulnerable. This parameter not verify on server side. There i will change username to any other user’s username and forward request. This request changed victim email with my email then i go to forget password and change the password.
As you can see in the video i was able to add my email to any other account.
POST /Profile/address/0/addressbook HTTP/1.1
change Address.username with any other username and forward request. victim email changed with attacker email.
30/10/2015: Bug reported to Namecheap Security Team
03/11/2015: Bug Fixed
03/11/2015: Bug resolved and bounty $100 😀
03/11/205: I asked to bump the bounty
04/11/2015: The rules of our Bounty Program are common for any type of vulnerability, we don’t reward maximum bounty depending on the case reported. As a one-time exception it was increased to $1000 for you.
As We know this amount not good for these type of bug because this was easily exploitable, using that anyone takeover victim account,steal there domain names and more details.