Oauth Misconfiguration lead to complete account takeover

Jackson kv
Jan 20, 2019 · 4 min read

Hello guys….

Its me Jackson. this is my first blog based on security vulnerability that identified during the exam study leave.. 😆. First of all thanks to Midhun S for giving this wonderful site for testing and supports.

So Let’s start hunting…..

Image for post
Image for post


When i started bug bounty i don’t really spend much time on Reconnaissance but later i realized the importance of reconnaissance. I got a thorough understanding and behavior of Webapps through Reconnaissance and some low hanging bugs😊😊. When I got a target, I always start with a simple Google Search and identify the information like what kind of company and what technologies are being used, these kind of information will gives a slight idea about the companies we are dealing with. Now start the Reconnaissance using some tools. Let’s start with aquatone -subdomain enumeration tool, so after running that tool I got some sub-domains,ran some tools like Lazyrecon, eyewitness, nmap, dirsearch, Advanced google dorks, wappalyzer ,some scripts and tools… 😉 so now we got a target website.

How I got this Vulnerability

Sorry guys i can’t disclose the name of the company , so we can call it as redacted.com. Let’s look at the website https://www.redacted.com, so the website looks like a normal site,nothing interesting in homepage so I go to the Signup page and got a page like shown below.

Image for post
Image for post

I created an account using my temporary mail and completed the email confirmation and logged into my account. There will be an option for linking the radacted.com account to Facebook or Google.This will make it easy to login into the redacted account by using Oauth functionality.

What is Oauth….:???

Oauth :- OAuth stands for Open Authorization Framework and is the industry-standard delegation protocol for authorization. OAuth 2.0 is widely used by applications (e.g. SaaS platforms) to access your data that is already on the Internet. That includes for example your contacts list on Google, your friends list on Facebook, etc. If you were ever asked by web or mobile application to give permissions to access your personal data, you have probably used OAuth 2.0.

When I saw this option i just open Burpsuite and clicked the Facebook icon for linking my account to Facebook and intercept the request and response.

So the first request will be like this :

when I saw this request I felt something interesting here because there is no state parameter, which means some time it may be vulnerable to csrf attack. Now there will be a Facebook page popup for authentication. I was successfully authenticated to Facebook, then i intercept the callback from Facebook….when i saw the callback, i wondered…there is no state parameter which means there is no protection from a csrf attack, so let’s exploit that.

Image for post
Image for post

When I saw this callback,I just made a csrf html page called attack.html.

Now we can test this vulnerability on a victim account, I created another redacted.com test account. After that logged into that account on an another browser and went to the settings page, there is an option for the linking the Facebook account. Now i just open the the html page on a new tab and clicked the submit button….Yes!…I got it….

Image for post
Image for post

My Facebook account is successfully linked with the victim redacted account 😍😍…..for cross checking, i logged out from the victim redacted.com account and tried to login with my Facebook account on redacted.com….Yeah…. 😃😃its successfully logged in with my Facebook account…so i can takeover any victim account….its a simple Oauth Misconfiguration lead to full account takeover.

Unfortunately it’s already reported by another security researcher. But I can learn new things from this vulnerability… 😍😍

Thanks for Reading

You can reach me on : Facebook and twitter

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store