Account takeover worth $1000
2022-8-22 19:14:21 Author: infosecwriteups.com(查看原文) 阅读量:22 收藏

Hello everyone, I am Faique a bug bounty hunter from India and I welcome you to my write-up on how I got an account takeover in one of the largest organizations using misconfigured 2FA and OAuth.

I cannot disclose that target because it was a private invite. Before getting into the vulnerability I want you to get a foothold on how everything works especially authentication this will help you to understand the bug more clearly. There are multiple ways to sign in to the website but they can be categorized in two ways, First using normal email and password and the other is by using OAuth which includes Google, GitHub and …

A security feature that the website has is 2FA which played a major role in this bug. A customer can use it to add an extra security layer. Now let’s come to the procedure and the bug.

I started with basic recon but didn’t find anything. So I moved toward authentication testing, created an account and tested for duplicate registration, forgot password bugs, SQL injection and so on. Then I enabled 2FA and brute-forced the 2FA code I tried this with both email,password login and with Oauth login but nothing worked:(

Next day I enabled 2FA on google oauth account and intercepted every request and send juicy one to repeater like when the website send 2FA code to the server.

I tested for some more 2FA bugs and then got fed up and stopped 2FA on the account, Then meanwhile after I was going to all my repeater requests I got stumbled on the above request and sent that again and received a JWT token I thought why not change the authenticator code with some random code like 000000 and send the request again and guess what I received the JWT token

Even after disabling 2FA on the account, I was able to get a JWT code using this request. This JWT token is basically the cookie that is used to authenticate users. To confirm this was actually a vulnerability I waited 1 day and then send the request again and yeah I received the JWT token. I was so excited at that point.

I just needed a way to directly login to the hacked account. So I started browsing the website logged in and I saw there was a feature to set password to the oauth account so that anyone can login using email & password.

I used set password request and replaced the JWT token to the one i received and send it.The password got added.

I can now login directly using the email and password bypassing oauth headache. This bug not only affect google oauth login but affects all oauth provider used by the site: GitHub, Microsoft, Bitbucket, Azure active directory

Note: The bug is only possible if the customer had enabled and then disabled 2FA on their account

Impact:

Once the attacker has access to the account

1. Attacker can see, and edit confidential details like API keys

2. Edit organisation & product names

3. Invite members to the account

4. Remove users from the organisation

5. Add a password to the account

6. Delete the account

Reported the bug to the site

Timeline

00:09, 1 August: Reported the bug

02:20, 1 August: First rejected as they though this is false positive

03:00, 1 August: Accepted it and asked for patience

01:20, 5 August: Marked the bug as high business critical security issue and offered me $1000

Thank you for reading till here I hope you enjoyed and learned something new from it. Feel free to Dm me if you have any query

Follow me on

Twitter: https://twitter.com/imfaiqu3

Instagram: https://twitter.com/imfaiqu3

LinkedIn: https://www.linkedin.com/in/faiqu3/

From Infosec Writeups: A lot is coming up in the Infosec every day that it’s hard to keep up with. Join our weekly newsletter to get all the latest Infosec trends in the form of 5 articles, 4 Threads, 3 videos, 2 Github Repos and tools, and 1 job alert for FREE!


文章来源: https://infosecwriteups.com/account-takeover-worth-1000-611452063cf?source=rss----7b722bfd1b8d--bug_bounty
如有侵权请联系:admin#unsafe.sh