From staging to 0 click account takeover

  1. dashboard.akme.com
  2. dashboard-staging.akme.com
  3. forms.akme.com
  4. api.akme.com
  1. dashboard-staging.akme.com is the staging version of dashboard.akme.com(did not take much thinking)
  2. You can create an account on both of them, most importantly with the same email(this will come in handy)
  3. An account gets created for you automatically on forms.akme.com when you signup on dashboard app and you can login to it by hitting this endpoint with your jwt session: api.akme.com/oauth
  1. Create an account A in dashboard
  2. Create an account B in staging-dashboard
  3. Login to forms with account A, by hitting the oauth endpoint with my user session
  4. Login to forms with account B(same process as 3).
  • The developers used the same jwt secret to decode the session of the users. This allowed me to access the account of anyone on forms.akme.com by knowing their email.
  • You don’t need email confirmation to login with oauth, otherwise if you were not to prove that the victim’s email belongs to you, you wouldn’t be able to fully signup on dahsboard-staging with is the main vector of the attack

--

--

--

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Why Is There a Lack of Women in Cyber?

Wallet Security

Binance backed, SafePal S1 Wallet

{UPDATE} Legend of Pirates:Sailing Log Hack Free Resources Generator

{UPDATE} Orbit Bounce Hack Free Resources Generator

Demystifying the ‘HOW MIGHT WE’s’ of Micro Pensions Registration and KYC Onboarding Processes.

‘Why Was I Breached?’ It’s the Credentials, Stupid.

The OWASP Collection — Sensitive Data Exposure

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
mohamad mahmoudi

mohamad mahmoudi

More from Medium

SVG based Stored XSS

Intigriti’s January 0122 XSS challenge Write Up

Tweet by @Intigriti

Multi XSS Exploit in Upload File

File Upload to RCE