OAuth Misconfiguration

See how I found an OAuth misconfiguration escalated to pre authentication account takeover without Burpsuite or any other tool.

Modern Web And Android Apps use OAuth for easy authentication. I won't go into what it is and how it works because I have already shared the related learning resources in my Linkedin post : Click here !

I have found various typical cases such as "missing state parameter" , "improper redirect_uri validation" and others that one can learn from Portswigger's Web Security Academy https://portswigger.net/web-security/oauth. So I won't discuss those here.

Rather I will show how I found a logical flaw in the web app's OAuth implementation which is not described in Portswigger's article.

One of the public programs on Bugcrowd was using google OAuth. I tested the basic test cases but the functionality was quite well implemented.

However I noticed that immediate 'Email verification was not required to create an account.

I am putting the screenshots from the report so that I dont have to explain the impact here again 🤪.

I did some more research about this and found this amazing blog by @harshbothra_ : https://hbothra22.medium.com/attacking-social-logins-pre-authentication-account-takeover-790248cfdc3

PreviousCrazy Account Highjack NextOpen Redirect >> XSS

Last updated 4 years ago