Monnit Cloud Platforms Password Reset Vulnerability Allowing Account Takeover

A critical authentication vulnerability has been identified in Monnit cloud platforms (*.imonnit.com) that allows malicious actors to gain unauthorized access to user accounts. This vulnerability arises because the password reset endpoint does not properly validate the association between reset tokens and the corresponding email addresses. As a result, attackers can use valid tokens from their own accounts to reset passwords and take over accounts belonging to other users. The issue affects all users on the platform.

Impact

Exploitation of this vulnerability leads to full account takeover, allowing attackers to access victim dashboards, sensors, and account data. It also enables modification of devices, notifications, and configurations, all without any interaction from the victim.

Reproduction

To reproduce this vulnerability, an attacker must first create an account and then request a password reset for both their account and a victim's account. After receiving the reset token for their account, the attacker can use that token to reset the password for the victim's account by changing the email and username fields to match those of the victim.

Remediation

Monnit should implement proper validation to ensure that password reset tokens are only used for the email addresses they were originally issued to. Additionally, tokens should be invalidated immediately after use.