Ramalingasamy

Oauth misconfiguration == Pre-Account Takeover

Hey fellow hackers,

Here Ramalingasamy M K(Security Researcher),

After so many months, I am back with a writeup for an interesting vulnerability i found in RedBull two days ago,but it was duplicate.

Smile in pain

But the vulnerability was quite interesting.Lets start !!!!

Start the hunting.

Lets look at that website,the website looks like a normal webpage.I go to the signup page and the page looks like,

I created an account using victim mail and didn’t completed the email confirmation and logged into redbull account.so,here there was an confirmation email send to the registered email address(victim mail).So,the vulnerability here is bypassing the email verification.

How to bypass :

You can see that, there is two methods to login and register the account.So here i already created account with victim mail,when the victim login this account using continue with google , the email verification bypassed.

So, the attacker also having access to that account.

Thanks for reading this writeup!!.

Writeup’s coming !!

  1. Just a Click , All the customers and products gets deleted!!

Security researcher | SDE