Vulnerability Summary
What started as a simple JavaScript analysis ended in a broken OAuth flow that allowed unauthenticated access to protected APIs — and a €1500 bug bounty reward.
While performing reconnaissance on a web application, I discovered that it was possible to obtain a valid OAuth access token without any authentication.
The issue started with a publicly accessible JavaScript file exposing an OAuth client_id.
Using this identifier, the authorization server issued a valid access token without requiring any user authentication.
The token could then be used to interact with protected backend APIs that executed real business logic.
hackerone-reportsHackerOne disclosed report --> https://hackerone.com/reports/3543475 by xavlimsg
hackerone-reportsHackerOne disclosed report --> https://hackerone.com/reports/3020021 by adilnbabras
hackerone-reportsHackerOne disclosed report --> https://hackerone.com/reports/3325582 by adilnbabras
Great write-up! It's quite interesting how by digging into JS files it's possible to obtain sensitive information such as the client_id and to escalate privileges accessing to protected API endpoints. It requires critical thinking and good eye to detail. Thanks for sharing!
<3
Log in to join the discussion.
Sign In