Forced OAuth profile linking

Report:

Vulnerability Type: Forced OAuth profile linking
Vulnerable Lab: https://portswigger.net/web-security/oauth/lab-oauth-forced-oauth-profile-linking
Severity: HIGH
POC (Video) : https://youtu.be/Ec0pdG0MEGg (Attached)

Description:

Due to the insecure implementation of the OAuth flow by the client application, an attacker can manipulate this functionality to obtain access to other users’ accounts.

How to reproduce the vulnerability:

  1. Access the Lab and Log in with Blog website account: wiener:peter and Click on My Account > Attach a Social media profile: peter.wiener:hotdog > Click on Log Out.

2. In Burp, Turn on proxy interception and Click the “Login with social media” option again.

3. Go to Burp Proxy and forward any requests until you have intercepted the one for GET /oauth-linking?code=[...]. Right-click on this request and select “Copy URL” and Drop the request > Turn off proxy interception and log out of the blog website.

4. Go to the exploit server create a payload something like this: <iframe src="Your Copy URL"></iframe>

5. Click on Store > Deliver the exploit to the victim

6. Again click on “Log in with social media” > Click Admin Panel > Delete Carlos

Impact:

Due to the insecure implementation of the OAuth flow by the client application, an attacker can manipulate this functionality to obtain access to other users’ accounts.

Proof of Concept:

Newsletter Updates

Enter your email address below to subscribe to our newsletter

Leave a Reply

R&D Center

140 West St, New York, 10007, US