Vulnerabilities Notes #5
Description
Account Pre-Hijacking
-
the hackers signs up with xxxx@gmail.com via the normal email/pass way
-
the email arrives in xxxx their mailbox but it is ignored (might even be flagged as something they don’t read anyway because, for now, it’s an unknown service)
-
the user, at some time in the future, goes to the site and signs up (they think) by clicking ‘sign up with Google’
-
the site now merges the former account with the latter and signs in the user; because signing in with gmail, there is no email link that has to be clicked
The site’s ( erroneous ) db entry is now a validated (via sso) account with a manual password; the hacker can now login with the password they set in the first place while the real user logs in via the Google sso link.