How a Simple Click Can Lead to Account Takeover: An OAuth Insecure Implementation Vulnerability

Introduction

During a recent security assessment of a private program on HackerOne, I discovered a High 1-click account takeover vulnerability affecting multiple domains owned by the same company. The company has several domains in scope, with Target1.com being the primary domain and Target2.com implementing an OAuth system that allows users to "Login with Target1.com." This flaw in the email confirmation mechanism enables an attacker to hijack user accounts with minimal interaction from the victim.

Vulnerability Details

The affected domains are:

• target1.com (Primary Domain)

• target2.com

Target2.com uses OAuth for user authentication, allowing users to log in using their Target1.com credentials. Here's a step-by-step breakdown of the vulnerability:

1. Victim Registration on Target1.com: The victim registers an account on Target1.com using their email address (e.g., victim@example.com).

2. OAuth Login on Target2.com: The victim then navigates to Target2.com and uses the "Login with Target1.com" OAuth feature, successfully logging in to Target2.com using their Target1.com credentials.

3. Attacker Registration on Target2.com: The attacker, aware of the victim's email address (victim@example.com), goes to Target2.com and registers a new account using the victim's email address. The attacker can set any password during this registration process.

4. Email Confirmation: Target2.com sends an email to the victim (victim@example.com) to confirm the email address. The email appears legitimate and originates from the official company email domain.

   
5. Victim Clicks Confirmation Link: If the victim clicks on the confirmation link in the email, believing it to be a harmless action, the attacker's registration process completes.

6. Account Takeover: The attacker can now log in to Target2.com using the victim's email address and the password set during the registration process. This allows the attacker to access all data and functionalities associated with the victim's account on Target2.com.

Exploitation Scenario

To demonstrate the exploitation, let's go through a hypothetical scenario:

1. Victim Action: Jane Doe registers on Target1.com with her email, jane.doe@example.com. She then uses OAuth to log in to Target2.com successfully.

2. Attacker Action: John Malicious knows Jane's email address. He goes to Target2.com, registers with jane.doe@example.com, and sets his own password.

3. Email Confirmation: Jane receives an email from Target2.com, asking to confirm her email address for the new account registration. The email looks official, so she clicks the confirmation link.

4. Account Hijack: John Malicious now logs in to Target2.com using jane.doe@example.com and his password, gaining access to Jane's account and all her data on Target2.com..

Mitigation Recommendation

To mitigate this vulnerability, the company should:

1. Separate OAuth and Regular Login Email Confirmation: Ensure that email confirmations for OAuth-based logins are handled separately from regular account registrations to prevent this kind of confusion.

2. Unique Token Verification: Implement unique tokens for email verification that are specific to the type of action being performed (e.g., account registration vs. linking OAuth accounts).

3. User Awareness: Educate users about potential phishing and social engineering attacks, advising them to verify the context of email confirmation requests.

Conclusion

This 1-click account takeover vulnerability highlights the importance of securing OAuth implementations and email confirmation workflows across multiple domains. By addressing these issues, the company can protect its users from malicious account hijacking attempts and ensure a safer user experience across its platforms.