This article details a security vulnerability found through subdomain enumeration and exploitation techniques, focusing on OAuth integration, content discovery, CORS misconfiguration, and the potential to execute a malicious open redirect that facilitates data theft. Affected: redacted_sub.com, users with OAuth credentials, online identity security
Keypoints :
- Vulnerability discovered through public submission indicates a chain of exploits.
- Subdomain enumeration is conducted using tools like Subfinder and amass to track active domains.
- Automated screenshot functions identify vulnerable subdomains quickly.
- A noteworthy subdomain with OAuth login was found, potentially compromising user data.
- Content discovery revealed sensitive user information can be accessed via an unsecured endpoint.
- CORS misconfiguration allows session cookies to be sent from external sites, creating data theft risks.
- An open redirect vulnerability permits attackers to send victims to malicious sites post-authentication.
- The exploit can impact all users of the main site, regardless of their previous interaction with third-party services.
- Proof of concept provided through code snippets, demonstrating the potential attack vector.
- Recommendations include implementing an allow-list for CORS, verifying redirect parameters, and adding CSRF protections.