Pre Account Takeover Methodology !

While performing penetration testing on a (website.com) target, I observed that the application allowed me to automatically login to the application as soon as I created a new account. This implies that there is no email verification at all. Similarly, the application also supported multiple social login methods such as Login with Google, Facebook and Apple. 

Following the below steps, I was able to perform pre-authentication account takeover successfully.


1:)

[Attacker Step] Navigate to the and register a new account with using the victim user’s email. Since the application also has a Google Authentication and Facebook option, I used a Gmail account for registration as a victim account.


2:)

Observe that the application successfully logs in a user upon registration process completion, and all the features of the applications are accessible.


3:)

Now, log out and navigate back to the target application’s login functionality.


4:)

[Victim Step] This time, use Google Authentication and login to the application using the same Email address that is used in Step-1.


5:)

Observe that the login is successful and the victim user can access the application. Then, perform any changes in the application, such as profile update.


6:)

[Attacker Step] Now, In a separate browser window, attempt to log in using the Email:Password used for registration in Step-1 .


7:)

Observe that the attacker is successfully logged in to the victim user’s account and can see all the changes that the victim performed.


8:)

This allows an attacker to keep persistence access in the victim user’s account as long as the victim manually changes the account’s password.


Impact:

Since there is no email confirmation, an attacker can easily create an account in the application using the Victim’s Email. This allows an attacker to gain pre-authentication to the victim’s account.


Further, due to the lack of proper validation of email coming from Social Login and failing to check if an account already exists, the victim will not identify if an account is already existing. Hence, the attacker’s persistence will remain.


An attacker would be able to see all the activities performed by the victim user impacting the confidentiality and attempt to modify/corrupt the data impacting the integrity and availability factor.


This attack becomes more interesting when an attacker can register an account from an employee's email address. Assuming the organization uses G-Suite, it is much more impactful to hijack into an employee's account.


Note: If the victim already has an account using social login on the application, this attack will most likely not work.


Remediation;

Website should allow users to view there profile or redirect to the dashboard only after the verification or  User Account should be activate only once user email is verified. 



Link to the full writeup by @Harsh Bothra


https://link.medium.com/QUzpgBiZvub








Comments

Popular posts from this blog

Two Factor Authentication ! [2FA]