And here is my first post about how I reset users password at Yahoo! subdomain.
http://arabeye.yahoo.com is a Yahoo! Maktoob Research Community,
I decided to have a look at Forgetting Password functionality and see how it works in this site.

– First, You must enter a valid email address to verify yourself and the site will check if the email exists in the database, If yes, he will give you an option to send email, If the email not exists he will tell you “Invalid Email” (By the way this is a User enumeration/User harvesting).

Yahoo! ArabEye give you 2 method to reset your password:
1. Send reset link directly to my e-mail
2. Answer the two security questions

I started with the second method which “Answer the two security questions” but I failed to bypass it 🙁

So back to the first method which “Send reset link directly to my e-mail” After checking the form and the header POST data I found hidden field with the following name ” where_email ” and this field contains user email which I entered in the previous step ^_^ I told my self is this right ( the developer save the email in hidden field then he send the reset password link to this email ) :O, That’s true.

So what I should do now !? you are right man ^_^  …. just edit the request and change the victim email address to attacker email address on “where_email” parameter.
After 2 minutes I found reset password link in the attacker email inbox. My feeling was like (Edeloo Edy)

Here is the proof of concept video

Thanks,
Mohamed Maati
@MSM_1st