If you enjoy what I do, please support me Buy Me Ko-fi! https://ko-fi.com/h0tak88r
Last updated
In the name of Allah, the Most Beneficent, the Most Merciful
During a recent security assessment of a private program on HackerOne, I discovered a High 1-click account takeover vulnerability affecting multiple domains owned by the same company. The company has several domains in scope, with Target1.com being the primary domain and Target2.com implementing an OAuth system that allows users to "Login with Target1.com." This flaw in the email confirmation mechanism enables an attacker to hijack user accounts with minimal interaction from the victim.
The affected domains are:
target1.com (Primary Domain)
target2.com
Target2.com uses OAuth for user authentication, allowing users to log in using their Target1.com credentials. Here's a step-by-step breakdown of the vulnerability:
Victim Registration on Target1.com: The victim registers an account on Target1.com using their email address (e.g., victim@example.com).
OAuth Login on Target2.com: The victim then navigates to Target2.com and uses the "Login with Target1.com" OAuth feature, successfully logging in to Target2.com using their Target1.com credentials.
Attacker Registration on Target2.com: The attacker, aware of the victim's email address (victim@example.com), goes to Target2.com and registers a new account using the victim's email address. The attacker can set any password during this registration process.
Email Confirmation: Target2.com sends an email to the victim (victim@example.com) to confirm the email address. The email appears legitimate and originates from the official company email domain.
Victim Clicks Confirmation Link: If the victim clicks on the confirmation link in the email, believing it to be a harmless action, the attacker's registration process completes.
Account Takeover: The attacker can now log in to Target2.com using the victim's email address and the password set during the registration process. This allows the attacker to access all data and functionalities associated with the victim's account on Target2.com.
Exploitation Scenario
To demonstrate the exploitation, let's go through a hypothetical scenario:
Victim Action: Jane Doe registers on Target1.com with her email, jane.doe@example.com. She then uses OAuth to log in to Target2.com successfully.
Attacker Action: John Malicious knows Jane's email address. He goes to Target2.com, registers with jane.doe@example.com, and sets his own password.
Email Confirmation: Jane receives an email from Target2.com, asking to confirm her email address for the new account registration. The email looks official, so she clicks the confirmation link.
Account Hijack: John Malicious now logs in to Target2.com using jane.doe@example.com and his password, gaining access to Jane's account and all her data on Target2.com..
Mitigation Recommendation
To mitigate this vulnerability, the company should:
Separate OAuth and Regular Login Email Confirmation: Ensure that email confirmations for OAuth-based logins are handled separately from regular account registrations to prevent this kind of confusion.
Unique Token Verification: Implement unique tokens for email verification that are specific to the type of action being performed (e.g., account registration vs. linking OAuth accounts).
User Awareness: Educate users about potential phishing and social engineering attacks, advising them to verify the context of email confirmation requests.
Conclusion
This 1-click account takeover vulnerability highlights the importance of securing OAuth implementations and email confirmation workflows across multiple domains. By addressing these issues, the company can protect its users from malicious account hijacking attempts and ensure a safer user experience across its platforms.
