Hello,

Today I am going to share one of my interesting findings on the private program of Bugcrowd. Since this is on a private program,so I will be using target.com as the website name.

While testing target.com I have noticed that users can use Google to create and login to target.com accounts. Now there are two ways of registering into target.com.By email registration Google oauth login now here target.com has a weak auth verification which does not check if a previous account was created with the same email when we use Google to login to our accounts. So basically, what it means is that someone can register using the unregistered victims account. after that victim will log in using the OAuth. in this case, the verification process is bypassed and the attacker can log in using the password after that.

1. Go to https://target.com/signup/ and signup using the unregistered victim’s account.
2. After the sometime victim is going to signup using the OAuth method.
3. What happens here is, now the victim can easily log in using the victim’s account which bypasses the verification methods.

1: Signup for [email protected] using email signup

2: Signup through google login using the same email

3: The user will be logged in

4: This vulnerability is very high severity because of exploitation and complete account access if the victim creates an account.

Either don’t let user enter with oauth when there’s already another account created with the same email or let the user enter but let him know someone else has already created an account and if it was him or not then ask him to change the password.

Only one thing we need here and that is email address. Just by knowing that we can takeover victim’s account so the impact here is quite high. Imagine email address is something you can even get if you ask so its not a hard task. But since the oauth does not authenticates the real user attackers can easily takeover the account.

I Reported This Vulnerability in Bugcrowd.Unfortunately duplicated.

https://portswigger.net/daily-swig/oauth-standard-exploited-for-account-takeover