This article is based on a new finding which I was able to discover while doing pentest for a private company. Since I am not allowed to disclose information about the company, let’s assume it as redacted.com. Scroll below to find out how I was able to uniquely bypass authentication on the web for redacted.com.

There were three options for login into the account;

Facebook Login

Google Login

Email and Password Login

First of all, I tried to see if anything such as stealing 0auth token or brute-forcing the account credentials could be done or not on Facebook, Google, and Email login, but found out it was all secured.

While brute-forcing, I got a very unusual response from the API as shown in the picture below.

This surprised me further and got me into thinking for a moment. If you have come this far, can you guess what could be the best possible way to bypass this kind of authentication?

For those who were able to think of the solution, congratulations, you are a very good hacker. For those who were not able to think for the solution scroll below.

I changed auth_type from email to Facebook. As the response said “Try logging in via Facebook”, so I changed auth_type to facebook to fool the server — pretending that I am login via facebook. Guess, what happened next?

I was able to take over all user account from Redacted.com (See the pictures for details). Looking further, I also found a subdomain where the admin login page was discovered. Since there was no login with email we had only two options-

Login with Facebook

Login with Google

Admin Login Dashboard

So, I tried to login via my google account and got a response like below;

The message I got was successful but I was not able to access the dashboard of admin. After the success message, I was redirected to below URL

https://admin.redacted.com/?admin=false&role=

It gave me the following Error;

I change the URL admin=false to true but still, I was not able to bypass the admin panel.

The Admin Login request appeared as;

Login Request

Every time I changed the email to other emails to log in from Google, I got a success message and was able to get the name and slug of the user as above.

Again, I tried changing the email to the original email of the admin. Since I already had the email of the owner of the company, I decided to check with his email.

When I did that I was surprised by viewing the response. I got a success message and I confirmed that the admin exists with that email. I sent the ajax request to /ajax/user/login_google with his email only and followed the redirection and was able to login to the admin account successfully.

Hope you had a good read. I discovered this kind of authentication bypass by accident while doing pentest and thought of sharing with you all. If you have any question, you can reach out to me on twitter at @evilboyajay.

Author — Ajay is the Head of Security at Nassec.io. As a security researcher, he has been inducted in Hall of Fame of Facebook, Microsoft, Sony Etsy and others.

Editor’s Note — We will be publishing write-ups related to cyber security every week. We are looking to grow our community. If you are interested in writing about cyber security, please email at blog@nassec.io.