Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

A terrible vulnerability in an OAuth implementation is an arbitrary redirect. This is because the code from the OAuth provider is sent back in the URL before being turned into an access token. If an attacker can get the redirect to happen to their website with the code in it, they can compromise the account.

The redirect_uri is usually incredibly strict and checked by the provider. A value commonly used to hold extra state and prevent login CSRF is the state parameter. In some implementations the data is not validated as thoroughly but can control the flow of execution still.

The author found that the state parameter contained functionality to redirect to a secondary domain after the original domain, somewhat separate to OAuth. Their hypothesis is that the application had several different areas depending on the platform so it needed a firm redirect to satisfy the providers requirements and then would redirect to the platform specific page once it was done.

This redirect on the state led to a one-click account takeover of the applications account. I had personally seen this state used like this before so it was interesting to see a vulnerability in it. Good find!