Epic Games - Connect Social Media Integration and possible account takeover on Art Station Account by chaining multiple issues(Oauth Misconfiguration)

Company Information : 

Epic Games, Inc. is an American video game and software developer and publisher based in Cary, North Carolina. The company was founded by Tim Sweeney as Potomac Computer Systems in 1991, originally located in his parents' house in Potomac, Maryland.

Bug Category : 

oauth 2.0 vulnerability - CSRF : 

A CSRF attack against the client's redirection URI allows an attacker to inject their own authorization code or access token, which can result in the client using an access token associated with the attacker's protected resources rather than the victim's (e.g. save the victim's bank account information to a protected resource controlled by the attacker)

Target  Information : 

https://www.artstation.com/

Technical Details of the Bug : 

There are lot of issues related to Oauth Misconfiguration on https://www.artstation.com/ which leads to different attacks and also Possible Account takeover if some conditions are met.I would start listing down below the vulnerabilities.

issue 1 : Social Media Integration Oauth CSRF issue :

In the Account settings you can integrate your social media accounts to your art station account to Automatically publish to Facebook, Twitter and LinkedIn from ArtStation. This feature is vulnerable to CSRF Attack . I have noticed all parts of CSRF are validating properly at server side. But due to a small misconfiguration the CSRF on this function occurs.Below is the flow of Social Media Integration. 1.Art Station first Request to server :

GET /users/auth/[Oauth_provider] HTTP/1.1 2Host: www.artstation.com 3User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:92.0) Gecko/20100101 Firefox/92.0 4Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 5Accept-Language: en-US,en;q=0.5 6Accept-Encoding: gzip, deflate 7Connection: close 8Referer: https://www.artstation.com/myartstation/settings/general 9Cookie: [cookies] 10Upgrade-Insecure-Requests: 1 11Sec-Fetch-Dest: document 12Sec-Fetch-Mode: navigate 13Sec-Fetch-Site: same-origin 14Sec-Fetch-User: ?1

Oauth_provider value is either facebook , twitter and Linkedin. In the response of this request , You will get the providers OAuth Configured URL.Below is the URL for Facebook. Ex :

https://www.facebook.com/v2.11/dialog/oauth?client_id=249255215230397&redirect_uri=https%3A%2F%2Fwww.artstation.com%2Fusers%2Fauth%2Ffacebook%2Fcallback&response_type=code&scope=email%2C+public_profile%2C+manage_pages%2C+publish_pages&state=[State_token]

Once the authentication etc part is done from the provider side , the final request will differ based on the different providers. Below is the final request for facebook.

Final Request :

GET /users/auth/facebook/callback?code=[Code]&state=[state_token] HTTP/1.1 2Host: www.artstation.com 3User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:92.0) Gecko/20100101 Firefox/92.0 4Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 5Accept-Language: en-US,en;q=0.5 6Accept-Encoding: gzip, deflate 7Referer: https://www.artstation.com/ 8Connection: close 9Cookie: [Cookies]

CSRF bug in the flow :

Overall the whole flow looks very secure as all state token etc are validating properly. This prevents attacker social account to connect to victim art station account. But the first request is a GET Request URL without CSRF. With this If attacker send this URL to Victim account , victim will be connected to his own social media account. In most of the social media integration if your account is once added , then it won't ask for any permission dialogues etc . So if victim runs first request URL directly, he will be connected to it's own account.

Direct URL :(Example Facebook)

https://www.artstation.com/users/auth/facebook

Steps to reproduce :

1.Login from victim account and go to settings Link : https://www.artstation.com/myartstation/settings/general 2.Click on facebook integration and provide the permission from facebook side. 3.Now you will come back to the same settings page where integration is successful. 4.Now disconnect facebook. 5.Now attacker just have to send you the above mentioned vulnerable URL. Link : https://www.artstation.com/users/auth/facebook 6.Run the above mentioned link and you will notice that your account will be re-connect to facebook. This way Attacker needs to just send you one link and your social media integration will be completed. This works for other integrations too like Twitter , linkedin etc.

issue 2 : Social Integration used for Login :

The above complete flow is the same for login process when you want to login from facebook. Due to this this same flow is used for login purpose. So example if you are disconnected social integration with facebook , it will still allow you to login from facebook. Since the same flow is used for login , it's vulnerable to Login CSRF.Hence you just send the above mentioned URL to victim , victim art station account will be logged in .

issue 3 : Login CSRF issue on Art Station main website :

There is a Login CSRF issue art station main login page with email password.

Vulnerable HTTP Request :

POST /api/v2/authentication/session.json HTTP/1.1 2Host: www.artstation.com 3User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:92.0) Gecko/20100101 Firefox/92.0 4Accept: */* 5Accept-Language: en-US,en;q=0.5 6Accept-Encoding: gzip, deflate 7Content-Type: application/x-www-form-urlencoded; charset=UTF-8 8PUBLIC-CSRF-TOKEN: 9X-Requested-With: XMLHttpRequest 10Content-Length: 75 11Origin: https://www.artstation.com 12DNT: 1 13Connection: close 14Referer: https://www.artstation.com/?sort_by=community 15Cookie: [cookies] 16Sec-Fetch-Dest: empty 17Sec-Fetch-Mode: cors 18Sec-Fetch-Site: same-origin 19 20form_type=modal&email=email&password=password

In the above mentioned request headers PUBLIC-CSRF-TOKEN , X-Requested-With , Origin etc. is not validating at server side. leading to CSRF Attack on login .

HTML POC :

<html> 2<body> 3<form action="https://www.artstation.com/api/v2/authentication/session.json" method="POST"> 4<input type="hidden" name="form_type" value="modal"> 5<input type="hidden" name="email" value="[attacker_email]"> 6<input type="hidden" name="password" value="[attacker_password]"> 7<input type="submit"> 8</body> 9</html>

Try it in Safari Latest version .

Chaining Login CSRF on art station main website(3) and CSRF on social integration(1) will lead to connect victim social logins into your account

With the Login CSRF Attacker can force victim to login from Attacker Account. Then Attacker can send social integration link to victim and it will lead to victim social integration will be connected to attacker art station account.This will have below impacts : 1.Now Social Media Integration will Automatically publish art station content to Facebook, Twitter and LinkedIn of victim account. 2.Once victim account is added into attacker social media , victim won't be able to use those social logins for their own use as art station gives error saying "this account is already used in art station". 3.Now if victim tries to login from social media account Ex : Facebook , then he will be logged in to Attacker account.

Account Takeover by chaining Oauth Provider CSRF on Login with Social Media Integration Oauth CSRF issue(1) :

In this Scenario There will be a full account takeover of art station user without his knowledge. This Attacker will require Login CSRF on oauth provider accounts like facebook,twitter etc. Since Login CSRF are always out of scope of the policy , it's very easy to get the Login CSRF on any oauth provider. ##Attacker scenario and steps to reproduce : 1.Attacker force victim to log in to attacker social media account through Login CSRF. 2.Now victim is logged in to attacker social media account. 3.Now Attacker sends Social Media Integration Oauth CSRF issue(1) Direct URL of art station to victim. Link : https://www.artstation.com/users/auth/facebook 4.Once victim runs this URL , attacker Facebook account will be connected to victim art station account. 5.Now attacker can directly login to victim account with his own Facebook account. This attack chain is easily possible as most of the websites allow login CSRF for business purposes. With the help of Social Media Integration Oauth CSRF issue(1) attacker can achieve full Account Takeover of art station account.

Root cause :

The root cause of all these scenarios is first bug on social media integrations. If you fix that issue all other issues will be fixed eventually. To fix it use the post Request with CSRF protection to generate the social media integration account. Also Don't use the same flow for login and social media integration. Also If Art station user has disconnected Social media integration ex : facebook , he shouldn't be allowed to login from that method.

Reference Links : https://hackerone.com/reports/215381 https://hackerone.com/reports/202781 https://ngailong.wordpress.com/2017/08/07/uber-login-csrf-open-redirect-account-takeover/ https://www.arneswinnen.net/2017/06/authentication-bypass-on-airbnb-via-oauth-tokens-theft/ http://blog.intothesymmetry.com/2017/04/csrf-in-facebookdropbox-mallory-added.html http://blog.intothesymmetry.com/2015/12/top-10-oauth-2-implementation.html (#5 and #6 CSRF Part) https://www.synack.com/blog/how-i-hacked-hotmail/ http://homakov.blogspot.com/2012/07/saferweb-most-common-oauth2.html

##Video POC :

Timeline : 

Oct 04th 2021: Report send to Epic Games Security Team through Hackerone.

June 09th 2021 : Report Accepted and Triaged.

March 07th 2022 : Complete issue was resolved and confirmed.

March 07th 2022 : 3000$ Bounty Rewarded