Epic Games -- Account Takeover in Art Station through Token/App Impersonate Attack in google oauth2.0 Flow

-

Company Information : 


Epic Games, Inc. is an American video game and software developer and publisher based in Cary, North Carolina. The company was founded by Tim Sweeney as Potomac Computer Systems in 1991, originally located in his parents' house in Potomac, Maryland.


Bug Category : 

Oauth 2.0 Vulnerability - Token Impersonate 

While browsing the web, you've almost certainly come across sites that let you log in using your social media account. The chances are that this feature is built using the popular OAuth 2.0 framework. OAuth 2.0 is highly interesting for attackers because it is both extremely common and inherently prone to implementation mistakes. This can result in a number of vulnerabilities, allowing attackers to obtain sensitive user data and potentially bypass authentication completely.

Once the OAuth provider sent the access_token to the client application, application has to maintain a session. To achieve this, client application will often submit this data to the server in a POST request and then assign the user a session cookie, effectively logging them in similar to traditional password-based login. However, the server doesn’t have any secrets or password to compare with the data submitted by client application, which means it is implicitly trusted.

In this situation, attacker can simply change the parameters sent to the server to impersonate any user as access token is valid. 



Target  Information : 

https://www.artstation.com


Technical Details of the Bug : 

Art Station google OAuth2.0 login flow is vulnerable to Token/App Impersonate Attack which leads to Account takeover of any art station user.

Token/App Impersonate Attack :

Authorisation server(Ex: google) provides different id_token/access_token for different clients. Ex: test1 app will have different id_token/access_token from test2 app. Test1 App id_token/access_token shouldn't work on Test2 App and vice versa. When Victim client app is only verifying any valid access token given by provider(Ex:google) that means any other attacker client app access token will also work on victim app. So now Attacker App can create OAuth2.0 client on facebook , run the OAuth flow on user and get the access_token of user for Attacker App. Now Attacker App can use this access_token Token to login to user's victim App. So basically victim client app is only need this access token to verify the login details(which are email etc) , once it verifies than it gives all his data to that token or users which is a direct account takeover. You can read more about this attack in references.

Bug On Art Station google oauth2.0 Flow :

In the above Explanation Victim App is Art Station. Art Station google flow is accepting any valid "id_token" for any google client which results in Account Takeover. Any 3rd party app who used google Oauth flow , can access to their customers Art Station account through their id_token. Attacker just needs to create an Attacker App , Get the id_token of art station user for Attacker App. Use this id_token to login into user's Art Station Account.

Severity :

In Art Station if user doesn't have signup from google or not using sign in feature from google , then also this attack would work. If you run the Google flow for the first time for any user , it will directly let you sign in to victim account. Which leads to Account takeover of any Art Station user who is not using google oauth. Hence i have added the severity as Critical.

Vulnerable HTTP Request :

POST /api/v2/google_auth/sessions/login.json HTTP/2 2Host: www.artstation.com 3Cookie: cookies 4User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:94.0) Gecko/20100101 Firefox/94.0 5Accept: */* 6Accept-Language: en-US,en;q=0.5 7Accept-Encoding: gzip, deflate 8Content-Type: application/x-www-form-urlencoded; charset=UTF-8 9Public-Csrf-Token: 10X-Requested-With: XMLHttpRequest 11Content-Length: 1281 12Origin: https://www.artstation.com 13Dnt: 1 14Referer: https://www.artstation.com/?sort_by=community 15Sec-Fetch-Dest: empty 16Sec-Fetch-Mode: cors 17Sec-Fetch-Site: same-origin 18Te: trailers 19 20name=&user_identity=107470528550790719288&jwt=id_token


Vulnerable Parameter : jwt=id_token Here jwt is a id_token value from google.

Steps to reproduce :

As a 3rd party App you can use id_token generate from google OAuth playground.You can use any art station account for testing. 1.Login from test1 user gmail account. 2.Go to https://developers.google.com/oauthplayground/ 3.Select "Google OAuth2 API v2" and authorise the API and exchange the code for token.(All these steps are given in video POC) 4.Now Capture the id_token value . This is a testing id_token. 5.Now open another browser and use another art station account. ex: test2 account 6.Use the Login from google flow and intercept the final art station request. 7.The request would look something like above mentioned request. 8.Now change the id_token value to test id_token value captured from step 4 and send the request to server. 9.You will notice that you will be logged in to test1(victim) user account.

Video POC :







Timeline : 



Nov 09th 2021: Report send to Epic Games Security Team through Hackerone.

Nov 11th 2021: Report Accepted and Triaged.

Nov 23th 2021: Complete issue was resolved and confirmed.

Nov 23th 2021: 3000$ Bounty Rewarded


Comments

Post a Comment

Popular posts from this blog

Account Takeover Apple App Store Connect Account of Any user and Steal Developer API/Subscription Keys of any user(CORS+XSS) worth 8500$

-
Image
Company Information :  Apple Inc. is an American multinational technology company headquartered in Cupertino, California. As of March 2023, Apple is the world's biggest company by market capitalization, and with US$394.3 billion the largest technology company by 2022 revenue. Bug Category :  Cross-origin resource sharing (CORS) : Cross-origin resource sharing (CORS) is a mechanism that allows restricted resources on a web page to be accessed from another domain outside the domain from which the first resource was served. A web page may freely embed cross-origin images, stylesheets, scripts, iframes, and videos. Stored Cross-site-scripting (XSS) : Cross-site scripting (XSS) is an attack in which an attacker injects malicious executable scripts into the code of a trusted application or website. Attackers often initiate an XSS attack by sending a malicious link to a user and enticing the user to click it. Impact : 1.Stealing  App Store connect API key with Full Access , Subs...
Read more

Amazon Web Services : Takeover Workbook and delete the Owner on https://builder.honeycode.aws by collaborator user (IDOR) worth 7200$

-
Image
  Company Information :  Amazon Web Services, Inc. is a subsidiary of Amazon that provides on-demand cloud computing platforms and APIs to individuals, companies, and governments, on a metered, pay-as-you-go basis. Clients will often use this in combination with autoscaling. Bug Category :  Insecure direct object reference(IDOR ) :  Insecure direct object reference is a type of access control vulnerability in digital security. This can occur when a web application or application programming interface uses an identifier for direct access to an object in an internal database but does not check for access control or authentication. Target  Information :  https://builder.honeycode.aws/ Technical Details of the Bug :  On https://builder.honeycode.aws you can add workbook and add users as collaborator. collaborator have limited access to the functionalities and sharing part. But there is a way which can lead to collaborator to demote the owner , remove him ...
Read more

UnAuth Access to Twitter Private Tweets and messages Media Content Access(IDOR)

-
Image
Company Info : Twitter is an online news and social networking service where users post and interact with messages, "tweets", restricted to 140 characters. Registered users can post tweets, but those who are unregistered can only read them. Users access Twitter through its website interface, SMS or a mobile device app.Twitter Inc. is based in San Francisco, California, United States, and has more than 25 offices around the world. Bug category : Indirect Object Reference(IDOR) Link : https://www.owasp.org/index.php/Top_10_2013-A4-Insecure_Direct_Object_References Technical Details of the Bug :  Applications frequently use the actual name or key of an object when generating web pages. Applications don’t always verify the user is authorized for the target object. This results in an insecure direct object reference flaw. Testers can easily manipulate parameter values to detect such flaws. Code analysis quickly shows whether authorization is properly verified. Bug Des...
Read more