OAuth Misconfiguration Pre-Account Takeover

Read For Free — https://nexguardians.com/oauth-misconfiguration-pre-account-takeover/

Check out my previous articles on P4 bugs — Part 1 , Part 2, Part 3, Part 4, Part 5, Part 6

Hi everyone, I am socalledhacker, i am a security researcher , penetration tester, certified ethical hacker and a web3 noob. In past months, I have discover lots of bugs but in today’s article we are going to discuss about low hanging fruits or P4 vuln’s as they are very easy to find and also present in almost every website. So let’s start with our first vulnerability.

I discovered lots of OAuth misconfiguration pre-account takeover bug in past and this is only the bug I found the most, in almost every program that i hunt on which has login feature via Oauth, i got OAuth misconfiguration pre-account takeover because Oauth function is not easy to implement securely so developers always do mistake in configuration which is the cause of this bug and it is also complex to implement.

So lets talk about how to find/test this bug, let’s say you have a target which has login function via Oauth, now create an account using your email address and then a verification link will send to you email address, don’t verify that.