VRT Category Suggestion - Failure to unlink OAuth Identity (P4) #494
Description
Proposed VRT entry:
Server Security Misconfiguration -> OAuth Misconfiguration -> Failure to unlink OAuth Identity - P4.
Attack Methodology:
- A victim creates an account via Google OAuth (or any other OAuth provider)
- A victims Google account becomes compromised by a malicious actor
- In order to maintain the integrity of the victims account, the victim changes the accounts email address to an alternative Google OAuth account (or username/password authentication) and verifies the account with the new OAuth provider
- The malicious actor can still authenticate using the victims old (and now compromised) Google OAuth account
Impact: (High) A victims user account can become compromised despite prior efforts made to remove the OAuth provider. This may result in a complete Account Takeover and access to sensitive PII as well as to perform other sensitive actions.
Likelihood (Low) A malicious actor would first need to compromise a victims OAuth account