.png)
2 months ago
37 BOOK THIS SPACE FOR AD
ARTICLE AD
Hello everyone, I hope you all are doing Great! Today’s writeup explains how I earned $250 from my second bug report on HackerOne.
If you haven’t read my first article, please check it out by clicking the link below:
While hunting on a private program on HackerOne, let’s call the target domain “domain.com.” On domain.com, I found a functionality where users can add two emails. The first email is the one used to create the account, known as the primary email, and the second one can be added in the account settings, known as the secondary email. I got interested in this functionality and started testing it.
First, I tried logging in with the secondary email and password, but since the account was initially created using the primary email, I wasn’t able to log in. So, I attempted to log in using OAuth with the secondary email. Guess what? I successfully logged into the account through Google OAuth.
Now, I had the account logged in on two browsers: Chrome and Firefox. In Chrome, I logged in with the primary email (attacker1@gmail.com) and password. In Firefox, I logged in with the secondary email using Google OAuth (attacker2@gmail.com). Next, in the Chrome browser, I changed the secondary email to mine@gmail.com.
This means I changed the secondary email from (attacker2@gmail.com) to (mine@gmail.com) There is also an option to disconnect Google accounts, which I disabled. I then reloaded the session in Firefox and noticed that the session was still active. I tried changing the name and the secondary email from (mine@gmail.com) back to (attacker2@gmail.com) and noticed that the changes were successful. I then reloaded the session in Chrome, and all the changes were reflected.
This confirmed that it was a vulnerability related to session management. I reported it to domain.com, and after one week, they awarded me $250.
Victim’s Actions:Log in to the application using primary account credentials.Add a secondary email address to the account.Link the account to the secondary email’s Google account using OAuth.2. Attacker’s Actions:
Gain access to the victim’s session via Google authentication of the secondary email.3. Victim’s Actions:
Log in to the primary account.Delete the secondary email address from the account.Disconnect the Google account from the primary account.4. Attacker’s Actions:
Refresh the session in the attacker’s browser.5. Observation:
The session remains active despite the disconnection.The attacker can modify the victim’s account data.Unauthorised access: Attackers can gain unauthorised access to the victim’s account by exploiting this vulnerability.Privacy breach: This vulnerability compromises the privacy and security of user accounts by allowing access via a deleted, but previously verified email address.Tip: Always try to check all functionalities and attempt to bypass them. You might discover critical vulnerabilities that could lead to significant rewards.
Thank you So much for reading & Happy Hacking!
Bengali (Bangladesh) · 
English (United States) ·