BookMyShow account takeover using social login

Fun Apps forwarding Derpina’s access token to BMS and logs into Derpina’s BMS account
Visual representation of assumption how victim’s access token is used to log into BMS

Disclaimer: This story is just to give you an idea how misconfigured social login can be exploited.

Hello cruel world,

This is a story of an innocent girl Derpina Victims, whose BookMyShow account got hacked because she just wanted to know “when will she die” from a viral stupid Facebook app.

Derpina got to know about this “cool” Facebook app that tells when will she die. All her friends were posting their results so she tried it as well. Little did she know that creator of the app is an evil person who collects access tokens of innocent people and use those tokens to log into BMS.

So how on the earth did BMS allow evil man to log into Derpina’s account?

Because technically BMS just checked if token is a valid FB token and Derpina’s email is in the database or not. BMS didn’t check who issued that access token.

More technical details are well explained by Bhavuk Jain (@bhavukjain1) on his blog.

My finding started with an email from BookMyShow claiming that user’s accounts were compromised because of data leaks of other platforms.

Whether their claim is true or not, I thought to myself we are not living in 2005. There must be something more to this. So I got my tools ready and tried SQL Injection first on login endpoint. Nothing happened. Then I tried Login with Facebook. I noticed that BMS was using access_token for login. So I got access token created by my own app with email scope and used it instead of access token generated by BookMyShow app. Voila, It worked! I got logged into BookMyShow using access token created by a third party app.

Access Token of my Facebook app.
Logged into BMS using access token of my app

Not only Login with Facebook was vulnerable. Just like Facebook, Login with Google was also misconfigured and didn’t check creater of id_token.

Timeline:
13 Jun 2019 at 1:06 AM — Security update email from BookMyShow
13 Jun 2019 at 1:35 AM — Found the vulnerability
13 Jun 2019 at 4:23 AM — Reported with mitigation suggestions
26 Jun 2019 at 9:43 PM — Received email saying the bug has been fixed
28 Jun 2019 at 3:43 PM — Bounty rewarded