#BugBounty — “User Account Takeover-I just need your email id to login into your shopping portal account”

Hi Guys,

A pending writeup about a very simple and yet critical vulnerability by which I was able to takeover any user account in a popular Online Shopping Portal. Let’s see what was the complete scenario —

The most crucial part in software development when it comes to security is the integration. Majority of security hack/loopholes happen mostly due to incorrect implementation while integrating third party services/modules with the application. Developers should not leave any misconfiguration open while implementing these services.

I went to the login section of the site and as every site has the option to “sign in with google/facebook” apart from usual “otp and password” login, it was also having the same functionality.

Login Page

I tried to login with google sign in and below is HTTP request for the same—

Google Sigin with oauth2

Oauth2 signing authorization service is in use . Let’s see how it is implemented at the client side. Below is the HTTP request for the same —

Login HTTP raw request

As can be seen in the above screenshot, there are 2 parameters which is being used for login verification the “accessToken” which is carrying google oauth2 sign in token and “login” parameter which is carrying user’s mail id.

Restating-Majority of security hack/loopholes happen mostly due to incorrect implementation while integrating third party services/modules with the application.

and the same happened here where oauth2 service was integrated but implementation comes out to be weak and vulnerable.

I found that the code was just verifying either of the two things— “accessToken” provided by oauth2 or “login” the mail id of the user and where was the vulnerability present and so I replaced the “login” value with the mail id to one of my friend’s mail id who has his account in the site (which I could also get by user enumeration on the login page) and below is the response I got —

Change the login value to victim’s mail id

Login Successful

I was able to successfully login into my friend’s account and had access to his complete profile.

And this is how I could takeover any user’s account by just knowing the login mail id.

Report details-

10-July-2018 — Bug reported to the concerned company.

14-August-2018 — Bug was marked fixed.

14-August-2018— Re-tested and confirmed the fix.

05-October-2018 — Rewarded.

Thanks for reading!

~Logicbomb ( https://twitter.com/logicbomb_1 )