Full Account takeover due to OAuth misconfiguration

Cysky0x1
3 min readSep 2, 2023

Hello Amazing Hackers… Abdelhy khaled is Here

In this in Article and I will talk about how I found Account Squatting due to OAuth misconfiguration in public bug bounty program

Brief about what is an Account takeover vulnerability?
OAuth is an authorization framework used to identify and authenticate users for an application. There are a number of implementation misconfigurations which can lead to an OAuth framework being implemented insecurely.

During the OAuth based account registration process, the OAuth authorization flow creates a new account for an email address and grants access via an OAuth token without checking if there is a pre-existing account for the same email address. This allows an attacker to register an account with a legitimate email and “squat” on the account. When the legitimate user creates an account with their email address using the OAuth workflow, they are unknowingly logged into the original account that the attacker created. This means that the attacker is still able to access the account.

So let’s go

Its a very simple logical flaw that results in this

So suppose we are victim@gmail.com , now login into the website then

  1. go to account settings and change mail address to victim2@gmail.com
  2. a link will be sent to victim2@gmail.com, now the user realizes that he have lost access to victim2@gmail.com due to some reasons
  3. so he will probably change mail to the another mail address for e.g victim3@gmail.com which he owns and has access to
  4. but it is found that even after verifying victim3@gmail.com, the old link which was sent to victim2@gmail.com is active, so user/attacker having access to that mail can verify it and Observe the OAuth misconfiguration that leads to account takeover

In a nutshell :

It is mandatory for a web app to invalidate the tokens in time to secure its user
In this case, suppose while changing mail address the user mistakenly typed wrong mail address, so the link will be sent to that mail address.
So the user probably don’t want the user of that mail address to verify it, so he will quickly change his mail address to one he owns and verify it
what he doesn’t know is that even after verification(change of major state), the old link is still active

the flaw :

user changes mail to attacker@gmail.com -> user realizes that he mistyped the mail -> so he again changes to mail he owns and verifies it -> old link sent to attacker@gmail.com is still active even after new mail has been verified

Thank you for taking the time to read this piece. Kindly remember to leave a comment sharing your thoughts on the blog.

Feed | LinkedIn — My LinkedIn Profile

--

--