Open in app

Sign in

Write

Sign in

Account Takeover using SSO Logins

Rikesh Baniya
3 min readDec 12, 2024

--

Companies often provide various login methods for users to authenticate their accounts.

You might have come across options like “Login with Google,” “Facebook,” or “Apple” on many websites.

Even if you create an account using an email/password, you can still log in to that account using third-party SSO (Single Sign-On) options.

The hidden SSO options

What many people don’t realize is that some websites also offer custom SSO login options, such as Okta or Auth0.

These hidden SSO options can often be enabled, allowing you to log in to your account through these providers as well.

Example:

If you visit Grammarly, you will typically see Google, Apple, and Facebook as SSO login options.

but Grammarly also provides custom SSO option.

User creation with custom SSOs

If you want to create an account with email victim@gmail.com on Facebook, Google, or Apple, you are required to verify that the email address belongs to you.

but incase of SSO providers like okta,auth0 you dont need to verify anything.

There is no email verification step.

You can create user accounts using any email address you choose.

The expected SSO login flow

In target.com , there exists an organization called OrganizationA.
The members of OrganizationA admin@gmail.com ,user1@gmail.com and user2@gmail.com

OrganizationA has enabled custom SSO login using Okta.

The admin sets up an Okta instance and creates users with the email admin@gmail.com ,user1@gmail.com and links it with organizationA.

Now, the users user1@gmail.com , user2@gmail.com can login to target.com using Okta SSO.

The misconfiguration

Suppose victim@gmail.com is a member of VictimOrganization on target.com.

The attacker creates AttackerOrganization on target.com and invites victim@gmail.com as a member.

The attacker then sets up Okta and links it with their AttackerOrganization

In their Okta instance, the attacker creates a user account with the email victim@gmail.com

Using this fake(attacker) Okta account linked to victim@gmail.com, the attacker logs into target.com as victim@gmail.com

Since victim@gmail.com is also a member of VictimOrganization , the attacker is able to switch organizations within target.com, gaining unauthorized access to sensitive data and functionality.

Report Example

Impact : High/Critical
Bounty: $$$$

Bug Bounty
Bug Bounty Tips
Bug Bounty Writeup
Hackerone
Bugcrowd

--

--

Rikesh Baniya
Rikesh Baniya

Written by Rikesh Baniya

873 Followers
2 Following

give me bugs

Responses (7)

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams