Users Account Pre-Takeover or Users Account Takeover. in microweber/microweber

Valid

Reported on

May 5th 2022


Team,

May you all be well on your side of the screen. :)

While Doing some research on the https://microweber.org, I was able to find a Pre-Account Takeover vulnerability.

Kindly check the proof of concept video & reproduction steps for better understanding.

Proof of concept:

I have uploaded the both of the proof of concept video in my drive.

And turned on the link sharing.

Kindly check it out once.

https://drive.google.com/file/d/1qRG-NGPq5jKl5ekeUtzI7SYqwmcI2x3_/view?usp=sharing

Steps to Reproduce:

Go to the https://microweber.org

Try to create new account by using the victim email address.

Example:

My victim: testerheredaw@gmail.com

Once done with entering the needful details for signup, we were landed on the dashboard directly by using the victim email.

In attacker end attacker has victim email id and password to login on the https://microweber.org

Victim end, victim receiving email notification for account verification from the https://microweber.org and victim checking it out.

Then, victim can try to login through the Google Oauth SSO, what happens here victim can directly land on the dashboard by using the SSO.

Which shows attacker end attacker can login through the victim email address and password, victim end victim can login through the Google Oauth SSO.

Since, Attacker and victim end same account was used on.

Until victim identifies this is attacker created account, and then until victim change the password and or adding Authenticator OTP, both of their ends the same account was accessed.

That's the issue and it shows the Account Takeover.

Solution:

Either don't let the user enter with Oauth when there's already another account created with the same email or let the user enter but let him know someone else has already created an account and if it was him or not then ask him to change the password.

First, clearly verify the Email OTP or link, then give the access to the dashboard.

The easiest remediation to this issue is to ensure that the email verification is adequately implemented and can not be bypassed.

Further, by ensuring that the social logins are correctly implemented, the email extracted from the social login is verified against the existing user’s database to ensure that the victim asked to reset the password.

By doing so, it is possible to remove the attacker’s persistence.

Cheers!

Impact

Victim Account Take Over.

Since, there is no email confirmation, an attacker can easily create an account in the application using the Victim’s Email.

This allows an attacker to gain pre-authentication to the victim’s account.

Further, due to the lack of proper validation of email coming from Social Login and failing to check if an account already exists, the victim will not identify if an account is already existing.

Hence, the attacker’s persistence will remain.

An attacker would be able to see all the activities performed by the victim user impacting the confidentiality and attempt to modify/corrupt the data impacting the integrity and availability factor.

This attack becomes more interesting when an attacker can register an account from an employee’s email address.

Assuming the organization uses G-Suite, it is much more impactful to hijack into an employee’s account.

We are processing your report and will contact the microweber team within 24 hours. 22 days ago
Manojkumar J modified the report
22 days ago
We have contacted a member of the microweber team and are waiting to hear back 21 days ago
Bozhidar Slaveykov modified the Severity from Critical (9.8) to High (8.3) 19 days ago
Bozhidar Slaveykov modified the Severity from High (8.3) to High (7.6) 19 days ago
Bozhidar Slaveykov modified the Severity from High (7.6) to Medium (6.8) 19 days ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Bozhidar Slaveykov validated this vulnerability 19 days ago
Manojkumar J has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Bozhidar Slaveykov confirmed that a fix has been merged on c162df 19 days ago
Bozhidar Slaveykov has been awarded the fix bounty
Bozhidar
19 days ago

commit ssha: 0ed398c37fb258101eced837f612901b92fc4371 repo url: https://github.com/microweber-dev/login-server/commit/0ed398c37fb258101eced837f612901b92fc4371

to join this conversation