How do I bypass Google authentication on the Periscope management panel?

How do I bypass Google authentication on the Periscope management panel?

PeriscopeIt is a Twitter iOS/Android app and is mainly used for live broadcasting. Using a WEB-based management panel to manage millions of users, you can access admin. periscope. TV.

When you browse the site, all requests are redirected to/auth? Redirect =/(this is because we do not have a valid session) and redirect to Google Authentication

 

 

The redirected URL is as follows, including various parameters. The most interesting thing is. hd, which is used to restrict login to a specific domain. In our case, bountyapp. co

https://accounts.google.com/o/oauth2/auth?access_type=&approval_prompt=&client_id=57569323683-c0hvkac6m15h3u3l53u89vpquvjiu8sb.apps.googleusercontent.com&hd=bountyapp.co&redirect_uri=https%3A%2F%2Fadmin.periscope.tv%2Fauth%2Fcallback&response_type=code&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fplus.login+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile&state=%2FStreams

We attempted to log on using the test@gmail.com account, and then we redirected to the user selection page, and the attempt again redirected to the page as usual.

 

However, we can simply remove this parameter. There is no signature in the URL to prevent modification. The main task of this application is to verify the returned token.

This provides us with the following URL (You may notice that I have deleted the Google + range because the test has not been registered)

https://accounts.google.com/o/oauth2/auth?access_type=&approval_prompt=&client_id=57569323683-c0hvkac6m15h3u3l53u89vpquvjiu8sb.apps.googleusercontent.com&redirect_uri=https%3A%2F%2Fadmin.periscope.tv%2Fauth%2Fcallback&response_type=code&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile&state=%2FStreams

The browser goes to this new page and prompts us to authorize the application.

 

 

Click the "Accept" button to redirect the connection back to the Management Panel. The following information can be used as a reference

 

 

Here, there can be code for the application to exchange access token, to verify the returned user ID from the whitelist, or at least to verify that this domain is bountyapp. co

However, in this case, we assume that we have successfully logged on as an employee using the email address with the suffix @ bountyapp. co. The requested userinfo. profile license does not contain the user's email address, so the application cannot verify it.

So far, we have obtained the management background.

 

Here we can see a lot of things-users and various information flows.

Solution

Twitter made two changes to this BUG. The first is to add additional licenses in the request.

https://www.googleapis.com/auth/userinfo.email

The second step is to correct the user callback verification. Now, if you try to use an invalid user for authentication, only one 401 page will be returned.

HTTP/1.1 401 UnauthorizedContent-Type: text/html; charset=utf-8Location: /LoginStrict-Transport-Security: max-age=31536000; preloadX-Content-Type-Options: nosniffX-Frame-Options: DENYX-Xss-Protection: 1; mode=blockContent-Length: 36