Never underestimate the power of open redirect, a story of a full account takeover

بسم الله الرحمن الرحيم

 It is a private program I have being hacking on for months, one night I realised that they added another security layer, a second factor authentication(2FA), like every bug bounty hunter I tried to see if I can bypass the 2FA mechanics, I tried bruteforce attacks but that did n't work as I got rate limited after sending few invalid codes using burp suite intruder, I tried response manipulation(and status code manipulation) but failed too, I then gave up and sleep.

Next day I revisit the website to understand how the 2FA works properly, but this time around I am very careful of everything that is happening, I got the bug without even using any tool. Let's break it down.

Note: Let's assume the target is

- Whenever a user tries to login to with valid credentials, he will be redirected to

-I did what I know you will do too , you will change the redirect_uri right? But open redirect is out of scope in the program policy, I changed to and surprisingly I got redirected to

https://evil.con/shell-auth?code=<access-token-here>&state=... I am kind a wowww, I am able to leak the victim's auth-token/access-token.

-Yet this is not valid except if I can use that token, I then open a new Incognito tab and paste<access-token-here>&state=... and change it to<access-token-here>&state=... nothing happen because does not have any login functionality.

-I then try<access-token-here>&state=..., nice one,I am able to login to with that code, also I am able to other subdomains such as with that code.

If you understand the flow this is a single click account takeover bug, an attacker only need to share this link with the victim, once the victim click on the link his auth-token will be leaked on the attacker's server, an the attacker will be able to login to the victim's account on or


Reported: Jul 30th 2022

Triaged: Aug 1st 2022

Rewarded: Aug 4th 2022

Closed as resolved: Aug 4th 2022

Fix bypass:

After some days I noticed that the redirection is not patched, what happen is that user will just get error message when the redirect_uri is not whitelisted domain but he will still be redirected to the malicious site if he request a new code and now he must enter the code before he will be redirected the attacker's domain.

I created a new ticket and same bounty was paid as in the first report.

Suggestions  and corrections are always welcome.


Post a Comment (0)
Previous Post Next Post