{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/account_takeover/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["github.com/lin-snow/Ech0 (\u003c 1.4.8-0.20260503040728-a7e8b8e84bd1)"],"_cs_severities":["medium"],"_cs_tags":["oauth","redirect_bypass","account_takeover","web_application"],"_cs_type":"advisory","_cs_vendors":["GitHub"],"content_html":"\u003cp\u003eA vulnerability exists in Ech0\u0026rsquo;s OAuth implementation where the \u003ccode\u003eparseAndValidateClientRedirect\u003c/code\u003e function improperly validates redirect URIs. Specifically, the validation logic only checks the scheme and host of the redirect URI against the admin-configured allowlist, neglecting to validate the path, query, or fragment components. This flaw allows an attacker to craft a \u003ccode\u003eredirect_uri\u003c/code\u003e with a valid, allowlisted host but a malicious path. By exploiting this, an attacker can trick a user into completing the OAuth flow, resulting in a redirect to the attacker-controlled path with the one-time exchange code appended in the query string. This code can then be exchanged for the victim\u0026rsquo;s access and refresh tokens, leading to account takeover. Observed in version v4.5.6, this vulnerability highlights a critical flaw in the OAuth implementation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious link containing a \u003ccode\u003eredirect_uri\u003c/code\u003e parameter. The host in this URI matches an allowed origin, but the path component points to an attacker-controlled location (e.g., \u003ccode\u003ehttps://myecho.example.com/attacker-chosen-path\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe victim clicks the malicious link, initiating the OAuth login flow at \u003ccode\u003e/oauth/:provider/login\u003c/code\u003e. The \u003ccode\u003eredirect_uri\u003c/code\u003e is embedded, without validation, into a signed state JWT.\u003c/li\u003e\n\u003cli\u003eThe victim authenticates through the OAuth provider (e.g., GitHub).\u003c/li\u003e\n\u003cli\u003eEch0 receives the OAuth callback, extracts the \u003ccode\u003eredirect_uri\u003c/code\u003e from the state JWT, and performs a partial validation (scheme and host only) via \u003ccode\u003eparseAndValidateClientRedirect\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eBecause the host matches the allowlist, the validation passes, and Ech0 generates a one-time exchange code.\u003c/li\u003e\n\u003cli\u003eEch0 redirects the victim to the attacker-chosen path with the code appended as a query parameter: \u003ccode\u003ehttps://myecho.example.com/\u0026lt;attacker-path\u0026gt;?code=\u0026lt;one-time-exchange-code\u0026gt;\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves the one-time code, either through Referer header leakage, analytics scripts, or an open redirect on the compromised path.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the retrieved code to \u003ccode\u003ePOST\u003c/code\u003e to the \u003ccode\u003e/api/auth/exchange\u003c/code\u003e endpoint, obtaining the victim\u0026rsquo;s access and refresh tokens.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows the attacker to fully compromise the victim\u0026rsquo;s Ech0 account. This can lead to unauthorized access to sensitive data, modification of account settings, and potential further compromise of systems accessible via the compromised account. The attack requires a single click by the victim and leverages common web vulnerabilities like Referer leakage or open redirects. The vulnerability is significant as it violates RFC 6749 §3.1.2, which mandates exact redirect URI matching.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement exact redirect URI matching by validating the full URI (scheme, host, and path) in the \u003ccode\u003eparseAndValidateClientRedirect\u003c/code\u003e function. See code example in the advisory.\u003c/li\u003e\n\u003cli\u003eImplement additional input validation of the \u003ccode\u003eredirect_uri\u003c/code\u003e parameter at the login endpoint (\u003ccode\u003e/oauth/:provider/login\u003c/code\u003e) before embedding it in the state JWT, as described in the advisory.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Ech0 OAuth Redirect Bypass Attempt\u0026rdquo; to identify potential exploitation attempts by monitoring for suspicious \u003ccode\u003eredirect_uri\u003c/code\u003e parameters containing paths other than the allowed ones.\u003c/li\u003e\n\u003cli\u003eIf using GitHub OAuth, review the allowed return URLs and ensure they are as specific as possible to prevent path-based bypasses.\u003c/li\u003e\n\u003cli\u003eUpgrade to a patched version of Ech0 that addresses this vulnerability. The advisory indicates versions prior to 1.4.8-0.20260503040728-a7e8b8e84bd1 are vulnerable.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-23T12:00:00Z","date_published":"2024-01-23T12:00:00Z","id":"/briefs/2024-01-23-ech0-oauth-bypass/","summary":"Ech0's OAuth redirect URI validation ignores the path component, allowing attackers to craft malicious redirect URIs for exchange-code theft and potential account takeover.","title":"Ech0 OAuth Redirect URI Validation Bypass Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-23-ech0-oauth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Account_takeover","version":"https://jsonfeed.org/version/1.1"}