LEFT SIDEBAR AD

Hidden in mobile, Best for skyscrapers.

OAuth Phishing - 2020

4 years ago 158
BOOK THIS SPACE FOR AD
ARTICLE AD

Lets explore the present OAuth phishing issue.Recently, I started hunting Google and found a Google subdomain that contains a OAuth misconfiguration,where we can tamper the ContinueUrl and make the victim get redirected to the Evil page but the sad part is no OAuth token were leaked and only the state token was leaked.The state parameter generates random strings everytime which is of no use.Still i wanted to try my luck,so i reported to Google.After some conversations the report was closed as Intended behaviour :(

Image for post

Image for post

fine..fine..

I know that the OAuth request from that subdomain can be called directly and after authorization it goes to the attackers endpoint.Hence we can make Google as a medium for our Phishing Page as it ensures trust.

Proof Of Concept:

The Proof of Concept is pretty simple. We know the vulnerable endpoint,all we need to do is to tamper the continue URL and change it to malicious website and send it to the victim via Gmail or any source.

Image for post

Image for post

Gmail Phishing!!

Since the endpoint is accounts.google.com,there is an extreme difference between clicking xyz.yyz.com and accounts.google.com.Hence the victim will not be too cautious about the link.When the victim clicks the link he will be sent to the login page for authentication.

Image for post

Image for post

Password

After successful authentication,The victim will be redirected to the attacker website.

Image for post

Image for post

baka!!

It might look like a lame attack but its effective for making the victim click the link and trusting the redirection.Social engineering is simply the exploitation of natural human tendency to trust.Building the trust is very important for a social engineering attack.

Watch Who You Trust,Even your Teeth Bite Your Tongue Every Then and Now.

A simple Proof of concept video demonstrating the issue,Using Google OAuth as a medium there is a great tendancy for the social engineering attacks.

Awareness is a key ingredient in success. If you have it, teach it, if you lack it, seek it.

Thank You for Giving your time for reading the article!!,Thanks Hema for helping me with this article.

Linkedin : https://www.linkedin.com/in/kabilan-s-4b8a90173

Instagram : https://www.instagram.com/username_.not._available/

Read Entire Article
  3. OAuth Phishing - 2020

Related

Command Injection: Mastering Exploitation Techniques with a Comprehensive Cheatsheet

Command Injection: Mastering Exploitation Techniques with a Comprehensive Cheatsheet

$3 Billion Crypto Exchange XT Allegedly Hacked

$3 Billion Crypto Exchange XT Allegedly Hacked

Hackers Steal $17 Million from Uganda’s Central Bank

Hackers Steal $17 Million from Uganda’s Central Bank

Small Bugs, Big Bounties: A Hacker’s Guide to Quick Wins

Small Bugs, Big Bounties: A Hacker’s Guide to Quick Wins

Critical Vulnerability Discovered in Zabbix Network Monitoring Tool

Critical Vulnerability Discovered in Zabbix Network Monitoring Tool

All UPI IDs in India have Predictable Patterns that allow the disclosure of mail IDs!

All UPI IDs in India have Predictable Patterns that allow the disclosure of mail IDs!

Trending

1. The Sabarmati Report
2. Amitabh Bachchan
3. Hunter Biden
4. Yeontan
5. Odisha Police Constable Admit Card
6. Sundar Pichai
7. Avadh Ojha
8. Skoda Kylaq
9. Shalini Passi
10. Suraksha Diagnostic IPO GMP

Popular

1-click RCE in Electron Applications

1-click RCE in Electron Applications

Install waybackurls on Kali Linux

Install waybackurls on Kali Linux

Microsoft Office Professional Plus 2019 (x64 & x86) Multilingual + Pre-Activated

Microsoft Office Professional Plus 2019 (x64 & x86) Multilingual + Pre-Activated

Over 40 Apps With More Than 100 Million Installs Found Leaking AWS Keys

Over 40 Apps With More Than 100 Million Installs Found Leaking AWS Keys

Install DalFox on Kali Linux

Install DalFox on Kali Linux

Adobe Master Collection CC 2022 v25.08.2022 (x64) Multilingual Pre-Activated

Adobe Master Collection CC 2022 v25.08.2022 (x64) Multilingual Pre-Activated

Autodesk Revit 2023 R1 Build 23.0.11.19 (x64) Multilingual + Crack

Autodesk Revit 2023 R1 Build 23.0.11.19 (x64) Multilingual + Crack

Maxon CINEMA 4D Studio S22.123 (x64) Multilingual + Crack

Maxon CINEMA 4D Studio S22.123 (x64) Multilingual + Crack

‘We are not motivated by profits’ – Open Bug Bounty maintainers on finding a niche in the crowdsourced AppSec market

‘We are not motivated by profits’ – Open Bug Bounty maintainers on finding a niche in the crowdsourced AppSec market

Just Gopher It: Escalating a Blind SSRF to RCE for $15k

Just Gopher It: Escalating a Blind SSRF to RCE for $15k

BOOK THIS SPACE FOR AD
RIGHT SIDEBAR BOTTOM AD
Bengali (Bangladesh) Bengali (Bangladesh) · English (United States) English (United States) ·
About Us · Terms & Condition · Contact Us
© Security Alert 2024. All rights are reserved