From staging to 0 click account takeover

  1. dashboard.akme.com
  2. dashboard-staging.akme.com
  3. forms.akme.com
  4. api.akme.com
  1. dashboard-staging.akme.com is the staging version of dashboard.akme.com(did not take much thinking)
  2. You can create an account on both of them, most importantly with the same email(this will come in handy)
  3. An account gets created for you automatically on forms.akme.com when you signup on dashboard app and you can login to it by hitting this endpoint with your jwt session: api.akme.com/oauth
  1. Create an account A in dashboard
  2. Create an account B in staging-dashboard
  3. Login to forms with account A, by hitting the oauth endpoint with my user session
  4. Login to forms with account B(same process as 3).
  • The developers used the same jwt secret to decode the session of the users. This allowed me to access the account of anyone on forms.akme.com by knowing their email.
  • You don’t need email confirmation to login with oauth, otherwise if you were not to prove that the victim’s email belongs to you, you wouldn’t be able to fully signup on dahsboard-staging with is the main vector of the attack

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store