[Case Study] OAuth Misconfiguration leads to Account Takeover
Most of the security vulnerabilities arises within the integration part due to the incorrect implementation of third party services. Integrating third party OAuth providers are often left misconfigured by developers which may lead to a bigger security impact such as account takeover.
While working on a bug bounty program, I found that the target website had a OAuth Misconfiguration which allowed me to gain access to any user’s account.
It is always recommended that you use two test accounts to test the OAuth misconfiguration flaw. Someone would definitely not like it if you accidentally land up into other users account.
Here I have used two test accounts as part of creating proof of concept. Naming them: Attacker and gaurang (Victim)
The website used Google and Facebook Oauth to sign in. As a victim, I signed up and logged into the application via Google sign in. The following image shows how my profile page looked.
Notice the linked accounts section. Here you can see my Google account is linked with my profile. I have not linked my Facebook account.
To test the Oauth functionality, i created another account by the name of Attacker. I used another mail id to register into the application. Here’s how the attacker profile looked.
In the Linked Accounts section you can also link your facebook account by signing into the facebook app. When you click on the Connect button, following request is generated:
As you can see in the request, while linking up your Facebook account, the application sends ownerBid of the user who is requesting.
Now, what if i replace this ownerBid with someone else’s ownerBid?
As an Attacker i replaced the OwnerBid parameter with the Victim’s ownerBid (gaurang).
As expected, i found that attacker’s facebook profile was linked to Victim’s profile account.
Now, Attacker can sign in using facebook and will get access to Victim’s account.
Impact:
The impact was high because the profiles were public and if you see the source code of a public profile you can get the OwnerBid (which was used to takeover the account). The OwnerBid and user_bid were same.
Moreover, there were many celebrities who had their account on this website. And the above screenshot contains the OwnerBid/user_bid of a known celebrity. So it was possible for an attacker to get access to any user’s profile.
Takeaways:
Make sure to properly test the third party integrated services. There are fair chances that they may not be properly configured and may become a source of $$$$ for you :).
