Skip to main content

Posts

Showing posts from September, 2016

Bug Bounty : Account Takeover Vulnerability POC

Hello,

In this post I'm going to share how I could takeover www.example.com users accounts.

So, what was the vulnerability?
Well , It was a very simple OAuth flaw which I could use to takeover users account with minimal user interaction.

Cut the crap, Give me POC -_- Ok.

www.example.com users have an option to connect their facebook account to their example.com account. 



Once a user connects his facebook account to his example.com account he does not need to enter his username/password to login instead he can simply click on "Sign in using Facebook" and he will be logged in (only if he is already logged in into his facebook account which he connected to his example.com account)



Ok all looks good let's see what happens in background when any user clicks on "Connect with Facebook"

GET Request  :

https://m.facebook.com/v2.2/dialog/oauth?redirect_uri=https://www.example.com/user_profile.php?action=fb_connect&scope=email,user_birthday,user_education_history,user_home…