1-Click Account Takeover in Virgool.io — a Nice Case Study

Yasho
Yasho
Jun 27 · 5 min read

Hello, Virgool is a light, Iranian version of meduim.com, recently I found 1-click account takeover vulnerability in their product.

Virgool gives users the capability of domain parking. So the site.com can be a mirror of virgool.io/myname . I was looking at the https://tech.cafebazaar.ir which was hosted on the Virgool. I saw the source code, and the eye-catching part was the login link:

I clicked, I logged-in in Virgool, then I got redirected to the https://tech.cafebazaar.ir again. Let’s see the flow:

Click on the login from https://tech.cafebazaar.ir page:

The response:

The login page, after credentials submission:

The response:

Nothing useful here. The idea of manipulating the login link (https://virgool.io/authorize?redirectedFrom=https://tech.cafebazaar.ir&status=login) was not interesting enough because of:

There will be a useless open redirect after the user logged-in (honestly I didn’t check this vector, I’m not sure about the open redirect after login sequence). Here I tested an attack scenario:

What if a user has already logged-in, clicks on the authorize link?

The mechanism was:

The response was surprising:

Wait, there wasn’t any login page, just a token to refresh the authentication (updating JWT tokens). Here if I would take-over any account if I could steal that token. How was it possible? by an open redirect :)

The first shot was successful:

The response:

Done, 1-lick account takeover. Here is the exploit code:

In the attacker’s box:

The attacker should trick the user to visit their website, once the user visits the attacker’s website:

They send the token to the attacker and their Virgool account is compromised. Here I should thank Virgool for their fast response and bounty. Here is the POC video sent to the Virgool:

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. #sharingiscaring

Yasho

Written by

Yasho

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. #sharingiscaring