Hi everyone, I am socalledhacker, i am a security researcher , penetration tester, certified ethical hacker and a web3 noob. In past months, I have discover lots of bugs but in today’s article we are going to discuss about OAuth Misconfiguration Pre-Account Takeover, which i discover recently so without further delay let’s start….
OAuth Misconfiguration Pre-Account Takeover
I discovered lots of OAuth misconfiguration pre-account takeover bug in past and this is only the bug I found the most, in almost every program that i hunt on which has login feature via Oauth, i got OAuth misconfiguration pre-account takeover because Oauth function is not easy to implement securely so developers always do mistake in configuration which is the cause of this bug and it is also complex to implement.
So lets talk about how to find/test this bug, let’s say you have a target which has login function via Oauth, now create an account using your email address and then a verification link will send to you email address, don’t verify that.
Now logout to your account and create account using the same email address but this time use Oauth via google to create your account using same email address.
By doing that both the account normal signup and signup via google are linked to each and but also works independently, like you can access both via email and password and via sso.
Now you think what’s the impact of this – “Ruko jara sabar karo“
Think about this like if attacker have your email address and he can create an account on a website which has OAuth misconfiguration pre-account takeover vulnerability and email verification link comes to your email address, Now after sometime you created account on the same website using sso, so both account is linked together and attacker can access it via email password and you are using it via sso, now tell me in comments that it has impact or not?
As always time for POC…. 🙂
Description:- OAuth is an authorization framework used to identify and authenticate users for an application. There are a number of implementation misconfigurations which can lead to an OAuth framework being implemented insecurely. These misconfigurations can lead to a broad range of issues which could allow an attacker to manipulate or retrieve sensitive data and potentially bypass the authentication process.
Steps to reproduce:-
1 – Go to https://www.example.com
2 – Register on the target using victim@gmail.com using email registration
3 – A verification process will be done (don’t verify it)
4 – Now, victim will use his Oauth account (victim@gmail.com) for registration, he will be logged in
5 – The attacker can now login into the victim’s account using normal login (email and password) and the victim can use the same account using Oauth.
Impact:- OAuth misconfiguration lead to pre-account takeover, granting attackers unauthorized access to user accounts and sensitive data. This breach can result in data theft, financial loss, and erosion of user trust. The exploited accounts may be used for further attacks, including phishing and social engineering. Legal and compliance issues may arise due to failure in protecting user data. Overall, the impact can be severe, affecting both users and the organization’s reputation and finances.
Check reports of OAuth Misconfiguration Pre-Account Takeover
https://hackerone.com/reports/1074047
https://hackerone.com/reports/1212374
That’s it for this article I will upload more articles related to web2 bugs covering all p4 to p1 bugs in near future so stay tuned … 🙂
Also read my previous article on P4 bugs – Part 1 , Part 2, Part 3
Buy Me a Coffee : https://buymeacoffee.com/socalledhacker
Follow Me On :