How Sensitive Information Disclosure Can Lead to Account Takeover

My investigation began with a thorough review of the application’s API. While analyzing the endpoints, I discovered an IDOR vulnerability that allowed me to manipulate user IDs in requests. Specifically, I found an API endpoint that provided sensitive user information, including the google_id associated with user profiles.

By changing the ID parameter to that of another user, I could retrieve their profile information, including their google_id. This was a critical piece of information since the application relied on Google authentication for user logins.

With the google_id in hand, I shifted my focus to understanding how the login process using Google worked on the website.

How the Login Process was Working:

User Initiates Login: When a user clicked the “Login with Google” button, the application redirected to Google for authentication.ID Token Generation: Google generated an idToken using the user's credentials.Token Handling: The application accepted this idToken and used it to create a JSON Web Token (JWT) for session management.

With the knowledge of how the login mechanism worked, I decided to test the limits of the authentication process. Here’s how I executed the account takeover:

Capture the Login Request: Using Burp Suite, I monitored the requests made to the application when a user logged in via Google.Modify the Request: I identified a request that was generating the idToken. I sent this request to the Repeater tab and replaced the user_id in the GET parameter with the google_id I obtained from the IDOR vulnerability.

3. Then I identified a request that was generating the JWT Token. I sent the request to the Repeater tab and replaced the idToken.

Result:

The server accepted the modified idToken and generated a JWT token for the victim’s account. This allowed me to gain full access to the victim's account.

This experience illustrated the critical need for proper access controls and validation in web applications. The initial IDOR vulnerability not only exposed sensitive information but also led to a straightforward account takeover due to inadequate validation during the authentication process.