What is an Account Takeover (ATO)?

Account Takeover is a type of cyberattack in which an attacker can take over a victim’s user account through malicious means. This attack scenario does not involve the attacker being aware of the victim’s sensitive credentials in advance to successfully gain access to an account. The login credentials or an active session of the victim using approaches (such as phishing, malware, man-in-the-middle attacks, and others) is required initially to compromise an account.

Read on to learn more about Account Takeover Techniques.

Techniques of Account Takeover

The following are the most common techniques used to take over a secured victim’s account.

Cross-Site Request Forgery (CSRF)

If there is a CSRF vulnerability in the email/phone change functionality, it can be abused to update the email/phone of a victim, and a password reset can be performed.

Password Reset Poisoning

If there is a host header injection vulnerability present in the application, it can be abused to poison the password reset token. The reset token can be accessed by the attacker if the host header is changed to an attacker-controlled domain. A CRLF injection can also be abused to inject a custom host header.


Password Reset Token Leak

While requesting a reset password, the application may leak the reset password token in the response itself.

No Rate Limiting

If there is no rate limiting on the password reset OTP input and the length of the OTP string is known, then this can be abused to brute force all possibilities of the OTP string, and the account can be taken over.

Stealing OAuth Tokens

If an open redirect vulnerability exists in the OAuth flow of the application then the OAuth tokens can be stolen. The victim can be redirected to an attacker-controlled domain through the open redirect vulnerability and the token can be stolen.

Response Manipulation

Take a look at the difference in the response between a successful and an unsuccessful login attempt. There may be a dependency that triggers a login or a password change. Change the unsuccessful response with the successful response and look for a possibility of account takeover.

Username Collision

Sign up on an application with an existing username and add a white space before/after the username. This will create a new account with a similar username. Reset the password of the malicious account. This may result in the victim’s account takeover.


Insecure Direct Object References (IDOR)

If there is an IDOR vulnerability in the email/phone change functionality, it can also be used to reset the password after updating the email/phone of the victim.

If the application implements some kind of user identifier in the password reset functionality then it can also be abused for account takeover through IDOR by updating the user identifier to the victim user.

Parameter Pollution

Use parameter pollution to induce IDOR or parsing errors in the backend of the application during login or password reset. This may result in an account takeover.

Example: email=victim@hello.world&email=hacker@hello.world

One of the most destructive major attacks is the account takeover attack, in which unscrupulous actors combine several account data and resell them on dark markets. The risk of account takeover exists for any company that provides credentials-protected accounts to employees or customers. This is why it is important for all organizations to be proactive in order to prevent serious account takeover issues.


Learn account takeover techniques in detail and how to prevent account takeovers in our blog series. Stay tuned to this page for more updates.


Start Protecting your Credentials Today! Get in touch with CSW for Red Teaming and VMaaS services.

Share This Post On