Account Takeover - Inside The Tenant

Summary :

Account Takeover (ATO) is an attack using which an attacker cat take ownership of another person’s account. There are multiple ways for an account takeover attack, namely brute forcing credentials, credentials stuffing, response manipulation, password reset poisoning, social engineering and phishing, 2FA bypass attacks etc.

Description :

I have found a vulnerability on a private program on one of the bug bounty platform for which I was awarded 150 USD. While browsing the application I found an invite functionality which was vulnerable to invitation token leakage. I took the advantage of the leaked invitation token to takeover the victim’s account via an unregistered email that was handled by me (attacker).

What is Tenant ?

In simple words a tenant is defined as a group of users from a single organization or company. There is an admin in the tenant who can invite other users to work for the company by which the tenant has been created. A tenant can be of IT department, Accounts department, Sales department etc.

Tenant - Basic

How I found this vulnerability ?

Admin Account

2. I entered victim’s email and clicked on Invite button

Invitation Functionality

3. Then I intercepted the request using burpsuite and did right click on the request > Do intercept > Response to this request

Burpsuite - Request
Burpsuite - Response
Pending Invitation

4. I crafted the URL for the invitation token and opened it in the browser because the token was already leaked in the response, then I clicked on Accept and it asked me to enter an email

Invitation Token URL (Victim)
Asking for Invited Email (Victim’s Email)

5. Then I went to Temp Mail and copied the unregistered email and pasted it on the website and clicked on the button and then I clicked on Approve

Temp Mail
Entered the unregistered email (Attacker’s email)
Approve

6. Then the code was sent to an unregistered email (attacker’s email)

Verification Code Sent
Verification Code

7. I used the code and I accepted the invitation sent to the victim

Verification Code
Account Takeover
Invitation Accepted

Why it happened ?

In my opinion,

Two flaws were there in the web application

  1. The validation of the invited user on invitation token was not done

Impact

Any admin can takeover the account of any user who is invited by the admin to the tenant.

The severity would be low to medium because the attack is within the tenant and apart from it the only thing an admin can do here is impersonating the invited user and perform the actions behalf of that user and an admin is not able to impersonate the existing user.

Calculated CVSS

Vector String - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Score - 5.4 (Medium)

Attack Flow

Mitigation

There will be two mitigations here

  1. A checked should be performed against the invite code and invited email address

Secure Code

// Check if the provided email matches the invite code
if (email == inviteCode) {
// Email matches the invite code
// Proceed with the rest of the authentication process
// …
} else {
// Email does not match the invite code
// Return an error message or ask for the correct invite code
// …
}

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Jerry Shah (Jerry)

|Penetration Tester| |Hack The Box| |Digital Forensics| |Malware Analysis|