Account Take Over by Response Manipulation

Hi all I hope everyone is doing well. This writeup is all about account take Over vulnerability by manipulating the login response.

Technical information

I have been testing for bugs in responsible disclosure programs and as usual I found a program and read all of their rule of engagements and finally decided to check.

Let’s consider the target as which is a online platform to make payments, order foods and etc.

I quickly signed up with necessary informations Account 1 ( as below,

signup page

After signed_up the application sent an confirmation link to the given email and I verified the email and it directed to the account settings page. I decided to logout and login again to observe how the application is handling the login request.

login page

I figured out that the application is using an API to authenticate the user so I intercepted the request and observe how the API handles the login process.

Login request and response of

I observed that the signup and login responses are similar but some different changes so I decided to manipulate the login response with signup response. I quickly logged out and created another account and captured the signup response of Account 2 (

It’s a go time…

Again Logged_in with Account 1( same email ID but different password,

login again

Intercepted the login request as below

Login request of Account 1 (

and applied do -> intercept this request -> response in burp suite proxy and changed the response 401 Unauthorized of login response

401 Unauthorized

into Account 2 ( signup response with 200 OK.

200 OK signup response of Account 2 (

and changed the email parameter in the response to Account 1 ( email ID and forwarded all the request.

Account 1 ( settings page

It quickly directed me into Account 1( settings page now I successfully logged into Account 1( without password by manipulating the login response into signup response.

Thanks for reading.

Follow me on Twitter : thevillagehacker



Security Researcher | Security Engineer | Security Nerd…

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store