Attacking Social Logins: Pre-Authentication Account Takeover

Attack Requirements

  • Lack of Email Verification: The target application should not have an email verification mechanism, or it should be bypassable. Often, it is observed that whenever a new user creates an account on some application, it requires first verifying the email and then only the access is granted. In a nutshell, this is an essential thing that is necessary to perform this attack. Due to this misconfiguration, an attacker would register an account in the application using the victim user’s account, i.e. Pre-Authentication.
  • Social Logins: The target application should also support at least one social logins, such as log in with Google, Facebook, Twitter and other services. Also, the victim’s email that the attacker is using for Pre-Authentication should be the one used in its social media account.
  • Victim User’s Email: The last item required is the victim user’s email; however, that’s not a big task, and it is possible to enumerate emails easily.

Attack Steps [From a real-life finding]

  1. [Attacker Step] Navigate to the target application and register a new account using the victim user’s email. Since the application also has a Google Authentication option, I used a Gmail account for registration as a victim account.
  2. Observe that the application successfully logs in a user upon registration process completion, and all the features of the applications are accessible.
  3. Now, log out and navigate back to the target application’s login functionality.
  4. [Victim Step] This time, use Google Authentication and login to the application using the same Email address that is used in Step-1
  5. Observe that the login is successful and the victim user can access the application. Then, perform any changes in the application, such as profile update.
  6. [Attacker Step] Now, In a separate browser window, attempt to log in using the Email:Password used for registration in Step-1 .
  7. Observe that the attacker is successfully logged in to the victim user’s account and can see all the changes that the victim performed.
  8. This allows an attacker to keep persistence access in the victim user’s account as long as the victim manually changes the account’s password.

Impact

  • Since there is no email confirmation, an attacker can easily create an account in the application using the Victim’s Email. This allows an attacker to gain pre-authentication to the victim’s account.
  • Further, due to the lack of proper validation of email coming from Social Login and failing to check if an account already exists, the victim will not identify if an account is already existing. Hence, the attacker’s persistence will remain.
  • An attacker would be able to see all the activities performed by the victim user impacting the confidentiality and attempt to modify/corrupt the data impacting the integrity and availability factor.
  • This attack becomes more interesting when an attacker can register an account from an employee’s email address. Assuming the organization uses G-Suite, it is much more impactful to hijack into an employee’s account.
  • The overall severity usually lies from High to Critical depending upon the data that is being stored.

Remediation

  • The easiest remediation to this issue is to ensure that the email verification is adequately implemented and can not be bypassed.
  • Further, by ensuring that the social logins are correctly implemented, the email extracted from the social login is verified against the existing user’s database to ensure that the victim asked to reset the password. By doing so, it is possible to remove the attacker’s persistence.

Takeaways

  • Always look for possible ways to bypass the email verification, especially when the social login options are present.
  • Always attempt to chain the vulnerabilities together to increase the impact.
  • Be observant and approach an application after understanding its logic.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Harsh Bothra

Harsh Bothra

Security Engineer | Bugcrowd Top 150 & MVP| Synack Red Teamer | Cobalt Core Pentester | Bug Hunter | Author | Speaker | Learner | Poet | Twitter — @harshbothra_