Known Password Reset Token Leakage Vulnerability Allowing Account Takeover

A critical broken authentication vulnerability has been identified in the Known social publishing platform, specifically in versions prior to 1.6.3. The issue arises because the application leaks the password reset token in a hidden HTML input field on the password reset page. This vulnerability allows any unauthenticated attacker to obtain the reset token for any user by simply querying the user's email. As a result, the attacker can reset the user's password and gain full access to the account, without needing to access the victim's email inbox.

Impact

Exploitation of this vulnerability allows for unauthorized password resets, leading to account takeover. This includes access to any administrative accounts that may exist on the platform.

Reproduction

To reproduce this vulnerability, request a password reset for a user by providing their email address. Once the reset request is made, the password reset page will reveal a hidden token in the HTML source. This token can be extracted and used to reset the user's password, effectively taking over the account.

Remediation

Users can update to Known version 1.6.3, which addresses this vulnerability by removing the token from the password reset page and implementing proper validation for password reset requests.