Oauth Misconfig  — Leads to Account Takeover
2021-02-12 01:20:56 Author: medium.com(查看原文) 阅读量:226 收藏

Rakesh Elamaran

Hello Infosec Community,

This is my first writeup for the vulnerability that I reported and got the first bug bounty amount.

Let’s Start:)

Image for post

Studiosoyuz

How i Found the Target?

I am a part-time bug hunter who loves to hunt bugs on web applications. After plenty of duplicates, not applicable in bug hunting platforms, I decided to hunt on RVDP programs where there will be less competition. I reported bugs and got some thanks mail and few hall of fame for securing the application.

After some time I started to hunt for websites randomly, like we use some web applications in our day-to-day life. I practiced on those websites that don’t even have RVDP programs or any security team. I reported the bugs to them, but as we all know, there is no response from many companies — Struggle Bug Hunters Face. But still, there are companies out there who respect bug hunters❤️

I selected a website like that and started basic scanning and reconnaissance. I will be using example.com as the website name.

Image for post

I found that the example.com had a Sign-up method by using

  1. Gmail and setting a password
  2. OAuth Misconfiguration

I started checking for OAUTH Bug.

What is OAUTH?

OAuth is an open-standard authorization protocol or framework that describes how unrelated servers and services can safely allow authenticated access to their assets without actually sharing the initial, related, single logon credential. In authentication parlance, this is known as secure, third-party, user-agent, delegated authorization.

In short, OAuth is a one-click process where all the end users and security researchers sign up easily.

The website example.com used Twitter, Facebook, Google and Apple Oauth to sign in. As a victim, I signed up and logged into the application via Google sign in.

Steps To Reproduce

  1. Sign up for an account with the victim’s name, email address and set a password.
  2. Now you have access to the victim’s account through email id and password you set.
  3. Unknowingly, the Victim will create an account through the Google OAuth functionality.
  4. Thus, the victim is not required to set a password.

Exploit Scenario

You can access victims accounts through a password you set in the attacker phase. Any Settings can be changed by an attacker and, if the website has any premium or payment details that leads to leakage of sensitive information. Attacker can use a victim account whenever he wants.


文章来源: https://medium.com/bugbountywriteup/oauth-misconfig-leads-to-account-takeover-7a360e6d9cac?source=rss----7b722bfd1b8d--bug_bounty
如有侵权请联系:admin#unsafe.sh