How I could have hacked 1.5 Million Namecheap accounts

Summery

Hello Everyone, Today I’m going to publicly post my first finding “How I could have hacked 1.5 Million Namecheap accounts“. When I was think about to buy a new domain then i started search on internet top domain companies there i saw namecheap also listed in top domain companies. After that i created a account and my mind stuck with to test there security.

How I could have hacked 1.5 Million Namecheap accounts

About Company

Namecheap is an ICANN-accredited domain registrar and web hosting company, based in Los Angeles, California. It is top domain registrar company in these days. It claims to have over 5 million domain names and 1.5 Million Customers.

Description about bug

Whenever a user go to profile and updating primary address then in this request the parameter address.username vulnerable. This parameter not verify on server side. There i will change username to any other user’s username and forward request. This request changed victim email with my email then i go to forget password and change the password.

Video PoC

As you can see in the video i was able to add my email to any other account.

Vulnerable Request

POST /Profile/address/0/addressbook HTTP/1.1
Host: www.namecheap.com
_NcCompliance=cf410c6e-6d39-47e5-a0b8-d2c57afc805b&AddressId=0&Address.username=rschauhan13&…..

change Address.username with any other username and forward request. victim email changed with attacker email.

 

Timeline

30/10/2015: Bug reported to Namecheap Security Team

03/11/2015: Bug Fixed

03/11/2015: Bug resolved and bounty $100 😀

03/11/205: I asked to bump the bounty

04/11/2015: The rules of our Bounty Program are common for any type of vulnerability, we don’t reward maximum bounty depending on the case reported. As a one-time exception it was increased to $1000 for you.

 

As We know this amount not good for these type of bug because this was easily exploitable, using that anyone takeover victim account,steal there domain names and more details.

Sorry for bad english 😛

Thanks for reading please share and comment

One Comment

Add a Comment

Your email address will not be published. Required fields are marked *

CommentLuv badge