How I hacked a website and took full access over it !
Hi fellow hackers and bug hunters, hope your bugs are getting validated bugs 😅. OK, so this is my first write up in Medium and pls forgive me if something is wrong in this write up. In future I may write a lot of my findings so kindly check my profile and follow. Let’s get started. Before that a few things about me, This is Gnana Aravind, a bug hunter from India and currently am working as a penetration tester in a company as part time job.
So recently I found a website which was a budding startup company, as you know I can’t disclose their name here and let us call it as subdomain.victim.com, before moving to Kali linux for reconnaissance I gave a try for business logic errors and I noticed that the website was using a OAuth functionality for sign in and signup. If you are not aware about how a OAuth works read the below article to get some knowledge about the same.
I kept an eye on the request and responses, after roaming over the website. When I was using the OAuth functionality, their was a request sent to the website which captured my attention and it looked like this.
As you can notice the token along with the user mail id is getting leaked over there. So now the thing which was running in my mind, what if i change the mail id of mine to someone else mail id. So quickly I created another account and checked for the same and YESSSS it worked. I was able to takeover any user account by just knowing their mail id. No I went still crazy and thought will it be the same case for admins mail id too ?
So after some recon I got the mail id of the admin and executed the same methodology and BOOMM , I was able to takeover the admins account and do what ever I want, I was like,
Vulnerability Name : Account Takeover due to OAuth Misconfiguration Severity : High
This is a part of my submitted report :
Vulnerability : An attacker can gain access to any user account on the website including the admins account.
Prerequisite : The targeted webapp should have social account login.(Through google. Facebook, etc)
Steps to Reproduce :
1. Move on to the login page and click on signin with google option.
2. Now click on your google account and capture the request.
3. Now Change your mail id to victim mail id and forward it.
4. Now the attacker can gain full access to the victims account.
I hope you got some idea after reading this, well if your target has something similar to this request, you can give a try for this bug.
If you need any help in this bug, reach me out at Instagram and Follow me here on medium for more such useful write-ups, give a like and applause if this is a good write-up.
Thanks and Regards, Gnana Aravind K
We also have a community called Cyberonics, where we will be conducting useful webinars for free, follow us there to get updates on the upcoming events.
