Misconfigured Social Login(OAuth) Leads to Permanent account access

Hello Hunters, This article is about one of my finding in which an user can access the account which is not belong to him via social login. Without wasting any time let’s just start with attack.

An application allows user to register themselves using the FORM registration and using social logins which is(GOOGLE, Twitter, GitHub).

Now I’ve register using the FORM, and put the details and used email for ex. ATTACKER@GMAIL.com.

Surprisingly there is no email notification about the registration, this blown my mind.

Now I’m logout from account and again login but this time I’ve use GOOGLE Authentication.

I’m successfully logged in the account and the my social login provider status looks like below.

GOOGLE: Connected
Twitter :
GitHub:

Now I just visit the change email page and change my email from ATTACKER@GMAIL.COM to VICTIM@GMAIL.COM which is not register yet in application.

Now I’m logout from the application and again login with GOOGLE Authentication of ATTACKER@GMAIL.COM and I’m successfully logged in the account.

It’s time for victim registration, when the victim tries to register using VICTIM@GMAIL.COM email then application throws and error says that the user has already an account from this email.

Now the victim reset the password using the reset link and login in his account, but he forgot to disconnect the social login.

I’ve just again try to login with GOOGLE Authentication of ATTACKER@GMAIL.COM and again I’m successfully logged in.

Impact : An attacker has persistent account access to the victims account and can use all the functionality which is done by any legitimate user without their consent. No matter how many times the victim changes his password, an attacker has still access to the victims account till the social login is disconnected.

Remediation:

1. Disconnect the social logins when the email has been changed.

2. If possible try to confirm the email address or send notification to email at register and change email address functionality.

I immediately make an report about this and submit to the responsible program but unfortunately it marked as duplicate. LOL. It happens. :)

Thank you for reading guys, Stay Safe, Stay Healthy.