Story of a Pre-Account Takeover
Hello everyone, hope you are having a great day. Today I am going to talk to you about an interesting bug that I found on a private program on HackerOne.
It is one of the most popular investing apps on the market. I can not disclose the name of the program since the vulnerability is not fixed yet. The application allowed its users to login with its own authentication system or Social Authentication (Google and Facebook). The flaw was in the ‘Login with Google/ Facebook’ functionality as there was no ‘Disconnect from Google/ Facebook’ feature available. Once a social account was associated with an email, it was forever added and can't be unlinked. Let me walk you through the steps to reproduction:
- Sign Up for an account with the attacker’s Google account.
- After signup, the attacker will be prompted to set a username, email, and password for the account.
- The attacker changes the email to the victim’s email, sets his username and password, and completes the signup process.
4. When the victim tries to create an account, the email already exists message pops up. Now the victim tries to reset the account password and successfully does so.
The victim is unaware of the fact that the Google account of the attacker is still connected to his account. There is no way he can unlink the attacker’s Google account from his account.
The attacker just needs to use Google Login functionality to access the victim’s account and boom.
This was it for my first bug bounty writeup. Hope this will help you learn something new. Peace.