I found one logical issue when I was testing. I am directly coming to the test case because there is nothing much here to explain.
About the application working:
An application had OpenID connect by Gmail and also had a normal registration page (username and password).
An application had an email change functionality, where the user could change the email ID to any email ID. One condition was that the email should not be registered previously by a normal registration form.
The application was not verifying the user's new email id.
Attacker Scenario:
Attacker email ID: attacker@gmail.com
Victim email ID: victim@gmail.com (He has not registered an account in the application till step 2)
- The attacker created his account by using attacker@gmail.com and logged into the application.
- The attacker clicked on the change email functionality and mentioned the victim email ID victim@gmail.com.
- Now, Victim thought to create an account by using OpenID Connect (Gmail SSO). The victim logged into the application.
- As the attacker already changed his email ID to the victim, so now the attacker used victim's email ID and attacker password to log into the attacker account.
- What the victim does in his account, it’s visible to the attacker.
This is an Account Takeover issue because the developer was not verifying the changed email ID and the developer was not checking whether the email ID is already registered or not, users were allowed to login by OpenID Connect when the email ID was already registered by normal registration.
Small issue but powerful :P
Comments
Post a Comment