FB OAuth Misconfiguration
Hello everyone, in this blog post, I would like to discuss the Facebook OAuth Misconfiguration vulnerability I discovered.
In this article, I will talk about how I bypassed Mail verification with Facebook OAuth Misconfiguration.
First of all, I would like to start our program by saying target.com.
When I browsed target.com, there were login and register options available. It was an e-shopping store.
First, I tried to register normally and after entering a code that comes to the mail, we can register successfully. The first account I registered: account-1@target.com. When I try to register again with the same e-mail address, I get an error.
Then I clicked on the Register with Facebook option and on the Facebook page that opened, I clicked on “Edit access”
On the page that opens, I changed the button for access to the e-mail address to “I do not accept”.
Then a page appeared asking me to enter the e-mail address again and I entered the e-mail address account-1@target.com. The registration was successful.
SignIn With Google
When I registered with Google, for example, I registered with my gmail address with the mail address attacker-2@target.com. Then a page popped up asking me to enter my first and last name and my email address was on this page
But I cannot change the e-mail address on this page. I right clicked on the mail textbox →review and changed disabled=“disable” to enabled=“enable” for the mail box and changed the mail to attacker-1@target.com
The registration was successful but unfortunately I did not get the ATO here either. I reported both cases as mail bypass and creating 2 users with the same mail.
Normally it would be an Account takeover but in this scenario I can’t create 2 different accounts with the same email address but after these steps I was able to do it and at the same time I was able to bypass the mail verification. I reported it to the team and they accepted it. They gave me a small bonus of $$ for being a VDP.
Good reading for everyone, stay healthy.
