Skip to content

Stealing gitlab oauth access tokens using XSLeaks Cross-Origin Redirects - CSP Violations in Safari

HackerOne report #1089277 by hubblebubble on 2021-01-28, assigned to @vdesousa:

Report | Attachments | How To Reproduce

Report

Abstract:
This is basically a zero-click exploit to steal login with gitlab oauth tokens on Safari. I have tested it on the Safari 13.1.1, Safari 12.1.2 and it works there with default browser settings whereas on the Safari (Safari 14, Safari 13.1.2) the exploit works if "Prevent Cross-Site Tracking" is disabled.

Bug Details:
When a user first clicks on a Login with gitlab button, the user is displayed a dialog box where the user has to authorize that particular app. Once that particular app has been authorized, a 302 redirection is made to the 3rd-party website with access tokens. Now once that app has been authorized, in the future whenever the user clicks on the login with gitlab button, the dialog box is not displayed and directly a 302 redirection is made to the 3rd-party website along with access tokens.

The redirection here is Cross-Origin meaning from gitlab.com to 3rd-party website, so when a request is made to
https://gitlab.com/oauth/authorize?client_id=client-id&redirect_uri=example.com
it redirects to https://example.com/?code=access-token which triggers a SecurityPolicyViolationEvent where the URL where redirection happens can be captured through SecurityPolicyViolationEvent.documentURI in Safari.

You can read more about this at https://xsleaks.dev/docs/attacks/navigations/#cross-origin-redirects

POC:
Here for the sake of POC we will steal access-token that will be generated when using login with gitlab for https://forum.gitlab.com

  1. Use a gitlab account that has already authorized forum.gitlab.com app.
  2. Then Simply visit this URL
https://cm2.pw/poc/?extract=code&domain=gitlab.com&url=https%3a//gitlab.com/oauth/authorize%3fclient_id%3d602002e60806134065316781a95c01d99369b55d1354045e2393af0177434fa2%26redirect_uri%3dhttps%253A%252F%252Fforum.gitlab.com%252Fauth%252Foauth2_basic%252Fcallback%26response_type%3dcode%26scope%3dread_user%2bopenid%2bprofile%2bemail%26state%3d035d44690699465665263fce75707565f10104ae50d0b7a2
  1. You will see an alert box with a stolen access token :)

Impact

We can steal access tokens potentially allowing ATO :)

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

How To Reproduce

Please add reproducibility information to this section: