How I found the Authentication Bypass bug and Earn $$$$
2021-12-23 01:22:9 Author: infosecwriteups.com(查看原文) 阅读量:64 收藏

Thedarkwayg

Hi all,

I am @shadow_CLAY from VietNam. Today I am going to write about a rather interesting bug that I found.

This is also my favorite bug bounty program on @Hackerone 😎

This is an application that specializes in online news, media and entertainment.

There are two options when logging in:
+ Login via Oauth
+ Login with Email

Photos are for illustrative purposes

When I sign in with Google, I need to authenticate my Google account. Then I will be redirected to the redacted.com account.

Suppose: I log out at redacted.com (not signed out of Google) and log back in to redacted.com using Google, I am automatically redirected to the redacted.com account.

This is often a misconfiguration because when signed in with Google, users will often be given a choice of the Google account they want to use instead of being redirected directly to redacted.com

Photos are for illustrative purposes

Even if I sign out all, including the Google account. I can still sign in to redacted.com with Google

Now I will login via Oauth -> Google -> Complete the steps to authenticate -> Sign out all including Google account -> Sign in again via Oauth -> Direct access to the account without authentication

Victim logs into redacted.com account via Google on public computer => Moments later, victim leaves their computer (despite being signed out of redacted.com and Google account) => At this point, anyone can access the victim’s account using Google.

Two cases:

  • Access token/code is not canceled
  • Auto login

When attacker login with Google => Access token/code will be called by redacted.com and automatically login to the account

The severity of this bug has been reduced because: “the attacker needs access to the victim’s device”

I would love to experiment with authentication functions as well as Oauth but I never thought a bug like this would happen in real life.

My advice to you is to always jump out of your comfort zone and think in a bolder direction. Sometimes we think it won’t happen in reality, but in fact it has been happening somewhere. The question is who will find it first?

Thank you everyone for reading!!! ❤

Happy Hacking :)))

Twitter: https://twitter.com/shadow_CLAY


文章来源: https://infosecwriteups.com/bypass-authentication-1bfab09332fe?source=rss----7b722bfd1b8d--bug_bounty
如有侵权请联系:admin#unsafe.sh