OAuth Misconfiguration Leading to Unauthorized Admin Access For All Org Products

OAuth Misconfiguration Leading to Unauthorized Admin Access For All Org Products

·

3 min read

TL;DR ?

I signed up using any unclaimed email on application_2 (e.g., victim@example.com) due to no email verification, then logged into the victim's account on application_1 using the SSO feature that allowed me to log in using application_2.

Introduction

In this report, I am going to detail a notable vulnerability I discovered on [Redacted Company]'s platforms. This vulnerability, stemming from an OAuth misconfiguration, allowed an attacker to access an admin panel by exploiting a single sign-on system. This insight underscores the significance of meticulous security configurations and the potential dangers that even slight missteps can harbor.

The Discovery

While evaluating several of [Redacted Company]'s products:

  • Product

  • Another product

  • Another one?

  • ...and more.

I noted an unusual occurrence during the login process. There were around 8 to 9 sign-in options provided. However, only the vulnerable.com option allowed users to create a new account, and that option belongs to the same company.

With curiosity, I forged ahead and created an admin account for me on vulnerable.com. Subsequent to this, I added another user to my organization using an email affiliated with a [Redacted Company] admin which was as simple as admin@redacted.comand I set a password for it.

The crux of the issue here was that vulnerable.com didn’t demand email verification. Given that [Redacted Company] authenticated based solely on the email address, I exploited this loophole to sign into the admin panel of their product, utilizing the vulnerable.com login option.

The Impact

An individual armed with the right information could:

  1. Full compromise of every product and every admin panel the company has.

  2. By taking over admin accounts, I was able to takeover any customer/user accounts as well and leak all their data.

The ramifications are broad, impacting numerous services under [Redacted Company]'s umbrella.

Conclusion

Discovering this vulnerability in a renowned platform was quite an eye-opener. It's a testament to the intricate nature of digital security and serves as a reminder that overlooking even the smallest details can lead to significant security lapses.

If I had rushed to only take note of the multiple login options without delving deeper into the single registration option, I might have missed out on the magnitude of the vulnerability. Thus, like the subdomain takeover I mentioned in my last blog, further probing often reveals more severe impact points.

Timeline

  • 2023-08-11: Reported

  • 2023-08-14: Delved deeper into the admin panels.

  • 2023-08-15: Discovered an active ex-admin employee account which helped the company to terminate as well.

  • 2023-08-15: Triaged

  • 2023-09-05: Fixed

    Severity: Critical(10.0)
    Bounty: 4000$


Final Word: Continuous probing, persistence, and a keen eye for details are essential in the world of cybersecurity. Ensure you're always a step ahead. Happy hacking!