Password Reset Glitch Leads to Instant Account Takeover

I reported this bug in March 2023, but due to the team’s delay, I completely forgot about it. To my surprise, I discovered a week ago that they had actually responded about three months ago, in December 2023!

Anyway, let’s discuss how I found this bug

let’s assume our target gonna call it “target.com”, after the subdomain enum I decided to focus on the main app.

I opened my burp and started to interact with the app by doing the normal actions like creating something or deleting something to save the API requests to check it after that for any idor or any access control bugs.
started to check for any idor but unfortunately, it was secure.
I took a break and after I came back, I tried to check some data I got from my scripts like subdomains and screenshots but nothing interesting

I tried to read javascript files to check for any secrets or read the API requests but found nothing :(

my bad luck

The last thing I was checking was the reset password page so let’s dig into it i went to the reset password page and tried to enter my email address and reset it until here there is no problem