Bypassing SSO Authentication from the Login Without Password Feature Lead to Account Takeover
Hi Everyone,
When I did Bug Hunting, I found the Login without Password feature. The Login without Password feature is a feature that is used for valid account users to log in without a password or valid account users can only log in using the OTP ( One-Time Password ) sent to the linked account email.
Before continuing, I will provide a little information regarding these vulnerable websites in the form of :
The website supports the use of email on multiple accounts because the SSO they implement to log in only uses the username and not the linked email.
And here I, as an attacker, I have 2 accounts with different usernames that have been linked using the same emails, namely :
- Username : attacker1
2. Username : attacker2
Then I tried going to the Login without Password feature. Then, I entered my account email. Following are screenshots:
And after that, the OTP was sent to my email ( attacker ).
Then I entered the OTP there, then you will get an account selection page for SSO login without a password like:
Notes:
From the screenshot above on the account selection page for SSO login without a password, you are required to have 2 accounts with different usernames and linked to the same email. Because if you only have 1 account with that email, then when you enter the correct OTP in the SSO Login request without a password, you will not get an account selection page for an SSO login without a password as in the screenshot above, but you will be immediately redirected SSO login to your account.
If so, catch the request when selecting one of your accounts on the account selection page for SSO login without a password.
Here’s the request:
POST /api/sso/login-without-password/auth HTTP/2
Host: sso.redacted.com
Cookie: [COOKIE]
User-Agent:
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Origin: https://www.redacted.com/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Content-Length: 226{“track”:006,”action”:”login-without-password”,”code”:”[OTP]”,”token”:”22123w2DS4543jg23324e35SD==”,”username”:”attacker1"}
The following is a screenshot of the request :
I can see that there are several parameters in there, and I was surprised to see the username parameter.
Because I was curious, I tried to replace the username parameter value with the victim’s username.
It worked, SSO redirected to the final Endpoint of the Victim account.
Finally I got Account Takeover Vulnerability here.