Breaking the Chain: Exploiting OAuth and “forgot password” for account takeover

In this write-up, the author shares two account takeover vulnerabilities they presented during Bug Bounty Argentina Village at Ekoparty 2024. The first vulnerability involves manipulating a 16-digit code for non-brute force account takeovers using OAuth and Facebook registration on www.vulnerable.com. The author discovered that the authentication method only required a valid oauthId, which led to potential brute force attacks. They later found an XSS vulnerability and used it to obtain the FB token but not the userID. The second vulnerability involves exploiting a password update endpoint using UUIDs assigned to users in different workspaces. The author discovered that by inviting a victim's email address to their workspace, they could obtain the victim's UUID and use it to change the victim's password after locking their account with six failed login attempts. This allowed the attacker to take over the victim's account. The author thanks Bugcrowd for supporting them and sponsoring their talk and acknowledges Link Clark for valuing their input.