Week 53 - Pre-Account Takeover
Last updated
Last updated
You've probably heard of Account Takeover vulnerabilities, but have you heard of Pre-Account Takeover (OAuth)?
This can occur whenever an application does not verify a user’s email upon registration and implements a third-party social login (Sign in with Google, Facebook, etc). The attack path looks like:
-A threat actor registers an account: victim@victim[.]com
-Sometime later, the victim signs up but does so through a third-party social login (also using victim@victim[.]com)
-When the victim successfully creates their account, the application will link their new account with the threat actors old account, since they both are using the same email
-The threat actor can proceed to login to the victim’s account with the password they set in step 1, and achieve account takeover
Successfully executed, this attack allows for the takeover of a target victim’s account. This finding can be remediated by properly implementing email verification, along with checking if the user account exists before allowing new sign-ups through a social login.
As a hacker, you should spend some time on engagements attempting to bypass this verification as it can lead to a nice finding!