Zero Click ATO (Bug Hunting)

Zero-Click ATO via OAuth Response Manipulation

PoC :

1 - Understand the mechanism of auth login , so ..

- Intercept the response of "Sign in with Google"

- in response u will see an authorization header contains : Basic: test, it was 64 encoded

- After decoding u will notice it was like :

"user_id": "abc1111",

"token": "MjIyMjIyQVBQX0lE"

2 - Confirm the pattern with another account and noticed that the token is the same as first one , it was like :

"user id": "def2222",

"token": "MjIyMjIyQVBQX0lE"

Noticed that the token value is identical across both accounts, confirming it's a static application-level value (App ID) not user-specific

Pretty good, so how can i get "user id" to confirm it ?

After a period of search noticed that the application sends an invite link to others to join into you're org ..

3 - Intercept the response of invitation to other user , noticed that the "user_id" was in response body ..

4 - Created a third account and sent an invite, Intercepted the response, got the "user_id" value

5 - Combined the "user_id" of the 3rd account with the static token value and encoded them together using Base64 to craft a forged authorization token

6 - Start login using auth with the 3rd account to confirm the exploit ..

7 - Copy an old response with successful login with any other account and change the Authorization header with the created one and forward the request ..

8 - Zero-Click ATO confirmed