Broken Authentication in Mobile Application

Few months ago I had a penetration test project of a mobile application. I found an interesting vulnerability which made me capable of compromising any account in their system. I made proxy between the application and the Internet so I could intercept the requests and responses in the Burp suite:

I went through the password reset section, The flow chart was something like the picture below:

1. User types the email address and hits the enter
2. The backend makes sure that the email address exists
3. The backend makes a unique token and saves it in the database
4. The backend sends the token to the email address user entered
5. The user clicks on the reset password link, the backend verifies the token and if it’s true, the HTML forms is shown
6. The user fills the password fields, the new password and the token is sent to the server
7. The backend verifies the token, then the password is changed

The vulnerability raised in the fourth section, in which the backend showed the reset password token to the user:

Consequently, by knowing the token, the password change of any account was possible only by knowing the account’s email address. I’ve seen this type of flaw in bug bounty programs so far. Here is an 10k example in the Uber:

Uber disclosed on HackerOne: password reset token leaking allowed…

The details:

A critical Improper Authentication vulnerability in Uber allowed password reset for any account