The target was a popular cloud-based business management platform used by several Fortune 500 companies. It had SSO via OAuth 2.0 and allowed third-party developers to integrate using the…

InfoSecWriteUps' platform is  dedicated to providing insights and resources for cybersecurity professionals and enthusiasts. Through articles, tutorials, and security research, InfoSecWriteUps offers insights into cybersecurity vulnerabilities, attack techniques, and defense strategies. Readers can learn about penetration testing, threat intelligence, and incident response to enhance their cybersecurity knowledge and skills.

InfoSec Write-ups

Anmol Singh Yadav discovered a race condition vulnerability in a cloud-based business management platform’s OAuth 2.0 implementation, allowing him to hijack OAuth tokens. By exploiting parallel authorization flow requests with manipulated state and code_verifier values, he obtained access tokens not tied to his session, leading to an $8500 bug bounty for this P1 account takeover vulnerability. The flaw was due to the server not invalidating authorization codes promptly, highlighting the importance of proper token management and validation in OAuth implementations.

How I Hijacked OAuth Tokens Through a Parallel Auth Flow Race Condition — $8500 P1 Bug Bounty 💰

The Flaw: A Parallel Authorization Flow Race Condition