Discovering a Session Persistence Vulnerability That Led to a $$$$ Bounty

A Chance Discovery

In the world of cybersecurity, sometimes the most dangerous vulnerabilities are hidden in plain sight. It all began one evening as I was working on routine bug bounty testing. Everything seemed ordinary until I stumbled upon something unusual — an issue that could easily be overlooked but had the potential to cause serious damage.

I encountered a flaw in a popular service’s OAuth authorization process. At first, it didn’t seem like a big deal. But as I dug deeper, I realized this was more than just a minor oversight. It was a ticking time bomb waiting to be exploited.

The Power of OAuth: A Double-Edged Sword

OAuth is a fantastic tool, allowing users to log in to multiple services with just one account. But what happens when things go wrong? Imagine this: you log in to a main domain, let’s call it Domain A. You then use Domain A to access a subdomain, Subdomain B, through OAuth. Everything works smoothly — until you decide to revoke Subdomain B’s access from Domain A.

In theory, that should end your session on Subdomain B immediately. But what if it doesn’t? What if, despite revoking access and even changing your password, Subdomain B remains active? This is exactly what I found. A ghost session, lurking, with full access to your account.

The Vulnerability That Almost Got Away