OAuth Misconfig → Account Takeover

OAUTH MISCONFIGURATION
  1. Create a account using “Sign in with Email” option.Use Victim’s email address and set password whatever you want. ( For testing purpose use your own email address)
  2. Next after sign up, log out of the account and trying login with OAuth Functionality.
  3. Now once you are in the account , change some info like Name, address or anything.
  4. Now again logout and sign in with Email and Password you created on Step 1.
  5. If you can see the account with changed info, bang on! You found a vulnerability.

--

--

--

Security Analyst, Bug XS Community Leader

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

My Experience Hacking on Harvard University

Sucuri vs Cloudflare Pros and Cons

Sucuri vs Cloudflare Pros and Cons

$200,000 VZX token airdrop & unique NFT character giveaway (Last date 1March2022)

{UPDATE} Party Queen makeover salon !! Hack Free Resources Generator

Cyber Security Bulletin: Patterns and Trending Topics

Crodo Ambassador Ban? — here is why

Security Features ASLR, DEP & CFG Not Enabled.

{UPDATE} yellow (game) Hack Free Resources Generator

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Parth Shukla

Parth Shukla

Security Analyst, Bug XS Community Leader

More from Medium

IDOR vulnerability on invoice and weak password reset leads to account take over

IDOR EXPLAINED!

Full Account takeover (ATO) — a tale of two bugs 🐛

No Rate Limiting on Forget Password Page (Email Triggering)