About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Steal any users access_token via open redirect - 672

Sudi - HackerOnePosted 4 Years Ago
  • The redirect link in Logitech redirects any authenticated user and adds the access token to the link. Then, using this, they could authenticate with the access token.
  • In a previous report, it was found that this could be redirected to any domain. This caused an access token link if anybody clicked don the link while logged in.
  • The author was looking at this old report and was curious if there was anyway to bypass the open redirect allowlist. Because, if this vulnerability was found, an access token could be trivially stolen.
  • The bypass was unconventional! Instead of finding a parsing bug, they looked for other domains on the wayback machine. While looking on the wayback machine, they noticed several other domains that had been used in the past. One of them was unregistered!
  • By registering this domain, the redirect could be sent to their own site. By clicking on this link, the access token would be stolen from the OAuth flow!
  • Good find! The wayback machine is even useful for security research!

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed