Stories of Pre-Account Takeover

-

Hello Folks, this is Sourav. Hope you are doing well on the other side of the screen. I am a security enthusiast and bug bounty hunter from India. In this blog I will discuss some of my findings on Pre-Account Takeovers.


So let's start without wasting much time :

What is Pre-Account Takeover??

Pre-Account Takeover is a case of Account Takeover where the attacker has access to the victim's account prior to the victim's registration and then the can observe the victim's actions on the account.

So one fine day I started testing the targets for Pre-Account takeovers. So the Pre-Account Takeovers we are discussing in this blog is due to "Improper Oauth Implementation"




So you folks might have seen cases where :

  1. The website is not verifying the email ID after registration.
  2. The website is providing login via 3rd party applications like "Login with Google".

Now let's see two slightly different cases which I observed during in the wild -

Case 1

In this case I am covering the websites which let you register an user account using your email ID and a password. And these websites also allow the user to login via 3rd party account like Google and Facebook. Pretty Simple Right?

Now What's Wrong??

The attacker can register an account with the victim's email ID and will wait for the victim to do login via any third party accounts like Google or Facebook. And when the victim visits the website and do login via 3rd party account like Google or Facebook than the website will merge both the accounts internally without letting the victims know that a account is already created with the same email ID.

And since the attacker already has access to the victim's account so this the case of Pre-Account takeover.

case 2

In this case I am covering websites which lets you register using an mobile number, email ID and a password. The websites were properly verifying the mobile number by sending an OTP but the website is not verifying the email ID.

Now in this case the attacker can create an account using his own mobile number and the victim's email ID. And when the victim will do login via any 3rd party account like Google or Facebook accounts than the website will merge both accounts internally based on the same email ID.


Mitigations in the wild

Now let's discuss the mitigations which I have observed in the wild :

  1. The website verify the email ID.
  2. If the victim is doing login via a 3rd party application and if an account is already registered with the same email ID than the website will ask the user to first link the the 3rd party accounts.
  3. If the victim is doing login via 3rd party accounts and an account is already registered with the same email ID than the website will not terminate all the active session disable the password which was intitially used to create an the account.

Result






















Okay Folks that's all for now.  Keep Hydrated and Hack the Planet




Comments

Post a Comment

Popular posts from this blog

Hacking wordpress websites via xmlrpc.php

-
Image
  Hello Folks, Sourav from this side. Hope you are doing awesome on the other side of the screen. I am security enthusiast and bug bounty hunter from India. In this article we will discuss about xmlrpc.php in wordpress websites by leveraging which an attacker can attack wordpress websites. So let's get started without wasting much time!! What the heck is xmlrpc.php?? If you guys don't know about xmlrpc.php than please read it about here . But in short xmlrpc.php is a simple, portable way to make remote procedure calls over HTTP. Wordpress, Drupal and most content management system supports XML-RPC. The core features that xmlrpc enabled were allowing you to connect your via smartphone, implementing tracbacks and pingacks from other sites.  Note - XML-RPC is enabled y default in all of the versions of wordpress. Let's move on with the story..... Since I am not allowed to disclose the name of the website that's why we will use example.com for the sake of this article. So f
Read more

How I accidentally found Sensitive data exposure!!

-
Image
  Hello folks, This is Sourav. Hope you are doing awesome on the other side of the screen. I am     security enthusiast and a bug bounty hunter from India. Today I will discuss How I accidentally found a sensitive data exposure during my recon. Okay folks let's get started without wasting any time... One fine day I was looking for some premium themes for wordpress websites and that's how I landed upon a website which provides all kinds Web Development solutions. Since I am not allowed to reveal the name of the website so will take example.com for the sake of this writeup. I don't know what came into me but I thought, let's see how secure is a website itself who provides web development solutions to others. If the website is itself safe enough ?? Let's find out.............. I quickly run amass on example.com and started traversing the application to see how it works. Than I noticed that amass quickly completed its operation. So quickly I took a look at amass outp
Read more