![Apple's F1 Camera Rig Revealed [Video]](https://www.iclarified.com/images/news/97651/97651/97651-640.jpg)
![Apple Shares New Apple Arcade Ad: 'Hold That Train!' [Video]](https://www.iclarified.com/images/news/97653/97653/97653-640.jpg)
![Apple Shares New Shot on iPhone Film: 'Big Man' [Video]](https://www.iclarified.com/images/news/97654/97654/97654-640.jpg)
_Brain_light_Alamy.jpg?width=1280&auto=webp&quality=80&disable=upscale#)
![[The AI Show Episode 153]: OpenAI Releases o3-Pro, Disney Sues Midjourney, Altman: “Gentle Singularity” Is Here, AI and Jobs & News Sites Getting Crushed by AI Search](https://www.marketingaiinstitute.com/hubfs/ep%20153%20cover.png)
![[DEALS] Internxt Cloud Storage Lifetime Subscription (20TB) (89% off) & Other Deals Up To 98% Off – Offers End Soon!](https://www.javacodegeeks.com/wp-content/uploads/2012/12/jcg-logo.jpg){kind=logo}
.png?width=1920&height=1920&fit=bounds&quality=70&format=jpg&auto=webp#)
Password Reset Poisoning Attack Allows Account Takeover Using the Password Reset Link
A critical vulnerability in password reset mechanisms has been discovered that allows attackers to completely take over user accounts by manipulating password reset links. Security researcher Pratik Dabhi recently disclosed details of a Host Header Injection attack that exploits how web applications construct password reset URLs, potentially affecting millions of users across various platforms. Password […] The post Password Reset Poisoning Attack Allows Account Takeover Using the Password Reset Link appeared first on Cyber Security News.
A critical vulnerability in password reset mechanisms has been discovered that allows attackers to completely take over user accounts by manipulating password reset links.
Security researcher Pratik Dabhi recently disclosed details of a Host Header Injection attack that exploits how web applications construct password reset URLs, potentially affecting millions of users across various platforms.
Password Reset Poisoning Vulnerability
Password Reset Poisoning occurs when web applications improperly rely on user-supplied HTTP headers to construct password reset links.
When users request a password reset, applications typically send an email containing a unique token-based URL such as https://example.com/reset?token=abc123.
However, if the application uses the Host header from the HTTP request to build this URL without proper validation, attackers can manipulate the destination domain.
The vulnerability was discovered during reconnaissance testing on an account subdomain at https://account.example.com/en/cant-login. The researcher captured the following HTTP request using Burp Suite:
By modifying the Host header to Host: bing.com and resending the request, the password reset email contained a malicious link pointing to https://bing.com/reset?token=abcdef123456 instead of the legitimate domain.
The attack process involves intercepting the password reset request and replacing the Host header with an attacker-controlled domain.
When the victim receives the password reset email and clicks the link, their reset token is sent to the attacker’s server instead of the legitimate application.
This allows the attacker to use the valid token on the real website to reset the victim’s password and gain complete account access.
The exploitation requires minimal technical sophistication, using standard penetration testing tools like Burp Suite to modify HTTP headers.
The attack can be automated and scaled to target multiple users simultaneously, making it particularly dangerous for applications with large user bases.
Mitigation Strategies
According to the report, the security implications are severe, enabling complete account takeover with access to sensitive personal information, financial data, and confidential business information.
Beyond individual account compromise, organizations face significant reputational damage and potential regulatory compliance violations.
Effective mitigation requires implementing server-side domain validation using trusted configuration variables like SERVER_NAME instead of relying on user-supplied Host headers.
Applications should maintain allowlists of legitimate domains and reject requests containing unauthorized hosts. Regular security audits, penetration testing, and code reviews can identify similar vulnerabilities before exploitation occurs.
This discovery highlights the critical importance of validating all user inputs, including HTTP headers that developers might overlook during security assessments.
Meet the cyber warriors Who Stopped the WannaCry Ransomware attack => Free Live Webinar
The post Password Reset Poisoning Attack Allows Account Takeover Using the Password Reset Link appeared first on Cyber Security News.
