Account Takeover in modrinth/labrinth
Oct 15th 2022
A malicious actor can setup a website on vercel.app with the vercel.app domain, after that, they can change the subdomain to something containing
modrinth, This will allow a open redirect on
https://api.modrinth.com/v2/auth/init?url=ATTACKER_URL, allowing stealing the github token which allows full account takeover.
Proof of Concept
This vulnerability is capable of full account takeover, the user can reset the token of their account but the attacker will have access to the users account until then.