Account Takeover - Inside The Tenant
Summary :
Account Takeover (ATO) is an attack using which an attacker cat take ownership of another person’s account. There are multiple ways for an account takeover attack, namely brute forcing credentials, credentials stuffing, response manipulation, password reset poisoning, social engineering and phishing, 2FA bypass attacks etc.
Description :
I have found a vulnerability on a private program on one of the bug bounty platform for which I was awarded 150 USD. While browsing the application I found an invite functionality which was vulnerable to invitation token leakage. I took the advantage of the leaked invitation token to takeover the victim’s account via an unregistered email that was handled by me (attacker).
What is Tenant ?
In simple words a tenant is defined as a group of users from a single organization or company. There is an admin in the tenant who can invite other users to work for the company by which the tenant has been created. A tenant can be of IT department, Accounts department, Sales department etc.
How I found this vulnerability ?
- I logged into the account (admin credentials were provided by the platform) and clicked on the Invite user functionality
2. I entered victim’s email and clicked on Invite button
3. Then I intercepted the request using burpsuite and did right click on the request > Do intercept > Response to this request
4. I crafted the URL for the invitation token and opened it in the browser because the token was already leaked in the response, then I clicked on Accept and it asked me to enter an email
5. Then I went to Temp Mail and copied the unregistered email and pasted it on the website and clicked on the button and then I clicked on Approve
6. Then the code was sent to an unregistered email (attacker’s email)
7. I used the code and I accepted the invitation sent to the victim
Why it happened ?
In my opinion,
Two flaws were there in the web application
- The invitation token was leaked in the response while inviting the user
- The validation of the invited user on invitation token was not done
Impact
Any admin can takeover the account of any user who is invited by the admin to the tenant.
The severity would be low to medium because the attack is within the tenant and apart from it the only thing an admin can do here is impersonating the invited user and perform the actions behalf of that user and an admin is not able to impersonate the existing user.
Calculated CVSS
Vector String - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Score - 5.4 (Medium)
Mitigation
There will be two mitigations here
- The invitation code should not be sent in the response from the server
- A checked should be performed against the invite code and invited email address
Secure Code
// Check if the provided email matches the invite code
if (email == inviteCode) {
// Email matches the invite code
// Proceed with the rest of the authentication process
// …
} else {
// Email does not match the invite code
// Return an error message or ask for the correct invite code
// …
}