Hack User Account Via Activation link

Sherif Afifi
Dec 29, 2019 · 2 min read

While I was testing one of our clients web-application, there was a function called “Add Account” which allows user to connect two accounts, so he that he can access both of them without needing to logout out the first account and sign in again.
Both accounts will have access to each other and from any account of them user can control the other and also user can connect any number of accounts together.

This action caught my attention, so I decided to try to understand how this feature works and find a way in which it can be abused.
I open my account and under settings I clicked on “Add Account”, I was redirect to the login page as following:
https://www.reacted.com/account/login?action=connect

here user should enter the login credentials “email and password” for the second account, and after login both accounts will be connected.
And you will be able to see the new account in a drop down menu contains your accounts where you can access any of them.

The first thing came to my mind is to make user login to my account while he is logged in his account using CSRF, So the both account are connected and by this I can access his account.

But The login page was protected against CSRF by Anti-CSRF-Token as following:

POST /sessions?action=connect HTTP/1.1

Host: www.reacted.com

headers,,,

auth-token=[Anti-CSRF-Token]&link=true&username=Tachi&password=********&commit=Log+in

After some time playing around the application, I remembered that when I registered the account for the first time, an activation link was sent to my email, visiting the link activated the account and logged me in directly in it.

So I created a new account, visited my email inbox and get the verification link and opened it in another browser where I was logged in with another user account, But nothing happened !!!
I was just logged in my new account, but the two accounts were not connected !!

So it is not enough to make user login another account while he is logged in, there is something else connects the two accounts, it must be a parameter sent within the request.

I remembered that there was a URL parameter sent with the login request to add an account action=connect, So we need to append this parameter to the activation link.

Original Link
https://www.reacted.com/users/ID/activate?activation_code={Random-Code}&tracker_id=xxxxx&utm_campaign=signup&utm_medium=Notifier&utm_source=email

Edited Link
https://www.reacted.com/users/ID/activate?action=connect&activation_code={Random-Code}&tracker_id=xxxxxx&utm_campaign=signup&utm_medium=Notifier&utm_source=email

After Visiting the Edited Activation link for the new account while being logged in my current account, I found that the account has been activated and linked to the current account…

Also the Activation link actually dose not expire after being used, which makes the attack more serve, you can just create an account, edit the activation link received and throw this link every where and wait for accounts to be connected.

Thanks,

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade