some-image here

CSRF + Open Redirect To Account Takeover

I wrote about this bug on medium and now moving it here with some improvements. The bug is a chain of CSRF + Open Redirect that could lead to total account takeover. The CSRF was not the typical one, well it was in a way but you will see why its not a typical one and how i found it by luck and then chaining it with Open Redirect to bypass a "Successfully Added Secondary Email Address" pop-up notification. Lets jump in.

I simply picked a public VDP program from bugcrowd and started to look for bugs without any recon because the scope was very small and as it was a public VDP program i didnt feel like to start with recon.So i directly jumped on the main app, i created an account and started poking around to see how web works, what functionalities/features it have. When i got basic idea of the web app i started looking for bugs. I usually start from account settings page because this is where you can look for some easy bugs like csrf,idor,xss,csti/ssti (not easy actually :p) etc. The first thing i tried was csrf on adding secondary email feature. First let me tell you about this feature.

You can add a secondary email to your account where you can get updates,password reset tokens etc just like the primary email address. When you will add a secondary email address, you will receive a confirmation link on that email address and you have to open that link in the same browser where you're already logged into the web app, if not then the web application will ask you to login first for confirmation. When you confirm the link then you will be redirected to your account settings page and a notification will pop-up saying, "Successfully Added Secondary Email Address".

I added my second email address and intercepted the request in Burp to see if the website have any anti-csrf tokens and it had anti-csrf tokens in the request, i forwarded the request without modifying anything and got confirmation link on my email address and i opened that confirmaion link in the same browser where i logged in and the secondary email address successfully added to my account with a pop-up notification as intended.
Now it was the time to check if the server is validating those anti-csrf tokens or not. I removed my secondary email address and added it again but this time i intercepted the request and removed the anti-csrf tokens (i only removed the value and left the paremeter empty). Upon forwarding the request i got an error of "No CSRF TOKENS" but i heard a beep on my mobile phone and to my surprise it was a confirmation link.

"I got a confirmation link of adding secondary email without providing the anti-csrf tokens. Yes, i got the missing csrf token error but the server was still sending me the confirmation link".

When i saw this i was happy and i was 100% sured that this is going to be duplicate but still it will give me some reputation so there is no harm in submitting it. I created the second account for confirmation and created CSRF exploit. In the exploit i used the new email address not the one i used previously. When i ran the exploit i got the error of missing csrf tokens and i chuckled and waited for the confirmation link on my email address but i didnt get it. I ran the exploit again and again but i didnt get the confirmation link, i also ran it on my first account but didnt get the link. I thought maybe it was using anti-csrf token header in the request which i missed, i checked the request again but there was not any header carrying the anti-csrf tokens. I went back to my first account and tried to add the same email again the email i used while testing for csrf, when i added it as my secondary email and removed the csrf token from the request i got the error but also the confirmation link. I got an idea of using this email (which i already added as a secondary email address in my first account) in CSRF exploit. When i added it into the exploit and ran it on my second account i got the confirmation link.

So this is what was happening, if you try to add a new email address as a secondary email into your account without csrf tokens then you will get an error. But if you try to add an already used email address to your account as a secondary email address without csrf tokens you will get an error too but you will also receive a confirmation link.

Now there is one more problem, an attacker cannot use the confirmation link without being logged into victim's account which is not possible. What an attacker can do he can send the confirmation link to the victim and when victim will open the confirmation link the attacker's email will be successfully added to the victim's account. There was one more problem, when the victim will open that link he will see a pop-up notification of "Secondary Account Added Successfully" and he will know a second email address is added to his account. I couldn't think of any way of bypassing the pop-up notification. Because i thought someone must have submitted it and my report will get duplicate to it and i will get my points so there is no need to burn myself on this (i was totally wrong). I simply submitted the report with reproductions steps and csrf exploit.

The program expected response was within 30 days and i got response from them after 23 days that he is unable to reproduce the issue. That time i was busy on another program so i didnt reply them back at that time. If you dont reply back in 15 days then your report will closed as n/a which i didnt know :p. I didnt reply back and he closed my report after 2,3 weeks as n/a and also i didnt feel like trying the csrf again and correcting the csrf poc.

After 4 months i was going through my reports and saw this report and thought about trying it out again. I tried and the csrf was still there. I posted a comment on the report of its still working and got a reply from them that, "Please provide us a working PoC". The PoC was working for me but not for them. I created one more new account to test the CSRF PoC on that account and it worked. This time when i received the confirmation link on my address i noted the "redirect" parameter in the link, i didnt notice it earlier. The value of the "redirect" parameter was "/profile/settings". This "redirect" parameter was redirecting users to profile settings page where the "Adding secondary Account" notification was poping-up. I thought what if redirect user to any other section of the website like "/home" , will he still get the noticaition, i changed the value of "redirect" parameter to "/home" and opened it in the browser and i was redirect to HOME page of the web application and the notification didnt pop. I quickly checked the account settings and my secondary email was there lol. I found the bypass of "Successfully Adding Secondary email address" pop-up notifcation. Here is the proper working steps:

Attack Scenario

Lets suppose an attacker have this email address "attacker@gmail.com" and he want to add this email address to victim's account via CSRF then he have to follow these steps:

  1. First he will add this email address "attacker@gmail.com" to his own account the intended way and confirm it via confirmation link.
  2. Then he will remove this email address and now this email address is ready to be used in CSRF exploit.
  3. Now attacker just have to make a CSRF exploit with "attacker@gmail.com" email address and send it to victim.
  4. When victim run the exploit the attacker will receive a confirmation link on his email address.
  5. The attacker will change the value of "redirect" parameter to "/home" and send it to the victim.
  6. And when the victim will open the confirmation link the attacker's email address will be added to victim's account without that pop-up notification because the victim will go to home page instead of the profile settings page.

I created a nice report and submitted it under the same ticket. The triager ran my exploit and i got a confirmation link on my address, i modified the "redirect" parameter and sent it back to the triager. He opened it and my email was added to his account. He marked my report as p3 because of user interaction and he told me that, "I'm sorry that it took a long time to fully validate this issue, and I'm glad that we got to verify the PoC. Later today, you will receive an invitation to the Example Private program and I kindly ask you to file a report in Example Private program with the same details (just copy paste the vulnerability report) and I'll make you a surprise shortly after you will create the submission. Be on the lookout for the private invitation email on your inbox :)

Next day i got a private invitation of the same program where they were paying for p1,p2 and p3 submissions, i submited the same report there and they triaged my report as p2 because they like the report and my finding and also my patience xD and also paid me 4 digits nice bounty which was totally unexpected.

The wirte up is quit long and boring with full of mistakes. If you dont understand it or want to give me a feedback please feel free to reach me at my twitter or on Discord, my username on discord is "Demon#1841". If you're reading this, Thank you so much. See you in the next article.