Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
huntrThewhiteevilD6DE3D6E-9551-47D1-B28C-7E965C1B82B6
HistoryFeb 12, 2023 - 1:07 p.m.

Account Takeover and Persistence due to the Oauth Misconfiguration

2023-02-1213:07:58
thewhiteevil
www.huntr.dev
45
oauth misconfiguration
account takeover
pre-account takeover
vulnerability
video demonstration
steps to reproduce
google oauth sso
email verification
social logins
bug bounty

EPSS

0.001

Percentile

31.8%

JSON

Team,

May you all be well on your side of the screen. :)

*. While Doing some research on thehttps://cal.com/, I was able to find a Pre-Account Takeover vulnerability.

Proof of concept:

*. I have created a video demonstration of the vulnerability and uploaded it to my Google Drive.

*. The link for the video is provided below for your review:

https://drive.google.com/file/d/15rHB1CNK1AvmtCL6eS7wXEA98wzEuql9/view?usp=sharing

Steps to Reproduce:

*. Go to the https://cal.com/

*. Try to create new account by using the victim email address.

Example:

*. My victim: [email protected]

*. Once done with entering the needful details for signup, we were landed on the dashboard directly by using the victim email.

*. In attacker end attacker has victim email id and password to login on the https://cal.com/

*. Victim end, victim receiving email notification for account verification or something from thehttps://cal.com/ and victim checking it out.

*. Then, victim can try to login through the Google Oauth SSO, what happens here victim can directly land on the dashboard by using the SSO.

*. Which shows attacker end attacker can login through the victim email address and password, victim end victim can login through the Google Oauth SSO.

*. Since, Attacker and victim end same account was used on.

*. Until victim identifies this is attacker created account, and then until victim change the password and or adding Authenticator OTP, both of their ends the same account was accessed.

*. That’s the issue and it shows the Account Takeover.

Solution:

*. Either don’t let the user enter with Oauth when there’s already another account created with the same email or let the user enter but let him know someone else has already created an account and if it was him or not then ask him to change the password.

*. First, clearly verify the Email OTP or link, then give the access to the dashboard.

*. The easiest remediation to this issue is to ensure that the email verification is adequately implemented and can not be bypassed.

*. Further, by ensuring that the social logins are correctly implemented, the email extracted from the social login is verified against the existing user’s database to ensure that the victim asked to reset the password.

*. By doing so, it is possible to remove the attacker’s persistence.

Related

prion 1
nvd 1
cve 1
osv 1
cvelist 1
prion
prion
Improper access control
2023-03-27 01:15:00
nvd
nvd
CVE-2023-1647
2023-03-27 01:15:07
cve
cve
CVE-2023-1647
2023-03-27 01:15:07
osv
osv
CVE-2023-1647
2023-03-27 01:15:07
cvelist
cvelist
CVE-2023-1647 Improper Access Control in calcom/cal.com
2023-03-27 00:00:00

EPSS

0.001

Percentile

31.8%

JSON
Related for D6DE3D6E-9551-47D1-B28C-7E965C1B82B6
prion1nvd1cve1osv1cvelist1