How I was able to takeover accounts in websites deal with Github as a SSO provider

2022-1-25 15:35:47 Author: infosecwriteups.com 阅读量:8 收藏

How I was able to take over accounts in websites deal with Github as an SSO provider

Hello, fellow hackers and security researchers!
I’m Khaled Mohamed a Cyber security engineer at Heroic cybersecurity, Welcome to the first write-up I hope you enjoy it, let’s start.
First, let’s know what is SSO and then get into the security issue.

What is Single Sign-On (SSO)

Single sign-on (SSO) is a user authentication tool that enables users to securely access multiple applications and services using just one set of credentials. Whether your workday relies on Slack, Asana, Google Workspace, or Zoom, SSO provides you with a pop-up widget or login page with just one password that gives you access to every integrated app. Instead of twelve passwords in a day, SSO securely ensures you only need one.
Single sign-on puts an end to the days of remembering and entering multiple passwords, and it eliminates the frustration of having to reset forgotten passwords. Users can also access a range of platforms and apps without having to log in each time.

Description

I decided to take a look on Github after starting with recon I found nothing interesting then, I moved to the next phase I started with account creation, creating an account in Github is so simple after creating the account you should be asked to verify your e-mail with 6-digits code sent to your email, I went to my email and found that there is a link sent along with the code if you are not able to enter the code manually, the link contained the same 6-digits code sent instead of a token or something like that it was a bit interesting, there was strict rate limit if you tried to enter the code using the manual form, so it was impossible to brute force the code through it, I tried to brute force the code using the link and bingoo !!

There was no rate limit, I was able to successfully brute force the code, I sent about 130000 (one hundred thirty thousand requests) till I got the valid one.

Steps To Reproduce:

  1. Create an account with victim email.
  2. In this form (“https://github.com/account_verifications”) click on (“Resend the code”).
  3. Open up a proxy, to get the email id.
  4. You should see POST request intercepted to this url (“/users/~username~/emails/~email-id~/request_verification”), here is the email id (‘~email-id~’).
  5. Update this URL with your email id and username to be like this (‘https://github.com/users/~username~/emails/~emailid~/confirm_verification/000000?via_launch_code_email=true').
  6. Finally, send this request to the intruder and start code brute-forcing.

Impact

As many websites deal with Github as an SSO provider, if someone has no account on Github an attacker can take over a user’s account in those websites by creating an account on Github with the user’s email and then take over the user’s account in those websites.

Timeline:
Aug 5, 2021: Reported.
Aug 5, 2021: Triaged.
Aug 10, 2021: Severity confirmed High.
Aug 10, 2021: Resolved and rewarded.

Thanks for reading.
https://www.linkedin.com/in/khaledsec/