OAuth Misconfig → Account Takeover

Hello Folks 👋,

Parth this side from BUG XS team. In this blog I am going to explain how I found an account takeover issue on a domain. Let’s jump into vulnearblity without things like I woke up today and decided…, went for a coffee… and blah blah blah 😂

OAUTH MISCONFIGURATION

So, This is the first and foremost bug I check as soon as I see OAuth functionality. Here are the steps that you can follow to reproduce the issue. This is also regarded as P3 vulnerability in Bugcrowd Taxonomy. Also, This attack is known as Pre-Account Takeover.

  1. Create a account using “Sign in with Email” option.Use Victim’s email address and set password whatever you want. ( For testing purpose use your own email address)
  2. Next after sign up, log out of the account and trying login with OAuth Functionality.
  3. Now once you are in the account , change some info like Name, address or anything.
  4. Now again logout and sign in with Email and Password you created on Step 1.
  5. If you can see the account with changed info, bang on! You found a vulnerability.

I was rewarded with $$$ for this amazing and easy ATO :-p

Okay, now if you are confused let me give a link to live PoC along with explanation : https://www.youtube.com/watch?v=kvFyBKjpEXo&t=6s

Cheery on the cake is you can find a sample report of this vulnearblity on the community website which is mentioned below. Do have a visit.

If you read till here. Let’s Connect!

Instagram ( Community ) : https://www.instagram.com/bug_xs/

Website ( Community ) : https://www.bugxs.co/

Website (Personal ) : https://www.parthshu.com

I hope you found this productive! 🙌

See you soon guys ❤

Bug Bounty hunter , Security Analyst, Bug XS Community Leader