API Endpoint leads to Account Takeover In Android Application

Hello Readers

This is  My First blog post  about my research in Android Application ,

TO Chaliye Shuru Karte hai !!!

What is TOKEN in API ?

Tokens are used in token-based authentication to allow an application to access an API. The application receives an Access Token after a user successfully authenticates and authorizes access, then passes the Access Token as a credential when it calls the target API.

"each user having their own token for maintaining authenticity" 

For Account takeover we need to have users email 

 1 Getting Token For user using API endpoint

    Intercept the request For this URL
      https://apiendpint.com/admin/apis/mobile/v1/check_user

   Send the request to repeater 

  
   Enter  user id of victim , and check response will get token

  

 

 

2 Using token What Attacker can DO :

 Attacker Perform All Operations provided in Android Application using this vulnerability

For example

       

   1 update profile of any user

   2 get profile Of any user

   3 get_payment_history

   4 withdraw_request

Thanks for reading