Misconfiguration OAuth Lead Account Takeover #Part 1

Assalamuallaikum Wr.Wb

Hello friends

I want to explain about the bug bounty that I got in 2020, this vulnerability lies in the weak OAuth configuration.

The first thing you analyze is how the flow of the website on the OAuth menu

Then look at the data taken from the OAuth to register your account on the website, here are the results of my findings as follows. pay attention to the parameters that are POST to the registered website there is a parameter with the name “n” where the parameter contains the user’s name, then the “e” parameter contains the email from the user when authenticating using OAuth

That way I know the next step to do a takeover on several accounts registered on the website, then after I scroll down there is a customer service account so I immediately try to do a takeover on that account, namely by changing the “e” parameter that previously filled with my email, changed to customer service parameters that I got.

Boom…. as a result I was able to do a takeover on the customer service account, here are the results

Note: It is very important to know the program flow of the application we are hunting, if you already know the flow of the application finding a vulnerability will be easier.

Wassalamuallaikum Wr.Wb