PoC: OAuth Authorization Code Theft

secure.unico.io - postMessage Wildcard Vulnerability

Vulnerability: The file web_auth_handler.js sends OAuth callback URLs (containing authorization codes) via postMessage(location.href, "*") to ANY origin.

Attack Scenario:
1. Attacker hosts this page on malicious domain
2. Victim clicks "Login with Unico"
3. Victim authenticates normally on secure.unico.io
4. OAuth callback URL (with ?code=) is sent to attacker via postMessage("*")
5. Attacker steals authorization code → Account Takeover

✓ Listening for postMessage from ANY origin (wildcard "*") ✓ Attacker receiver ready ✓ Waiting for victim to authenticate on secure.unico.io... Any OAuth callback URL will be captured below:

Vulnerable Code (Production)

Source: https://secure.unico.io/assets/packages/unico_core/web/plugins/web_auth_handler.js

AUTH_DESTINATION_KEY = "auth_destination_url",
AUTH_RESPONSE_KEY = "auth_info";

window.onload = function() {
    if (window.opener && window.opener !== window) {
        (window.opener ?? window.parent).postMessage(location.href, "*");  // VULNERABLE
    } else {
        let e = sessionStorage.getItem(AUTH_DESTINATION_KEY || "/");
        sessionStorage.removeItem(AUTH_DESTINATION_KEY);
        sessionStorage.setItem(AUTH_RESPONSE_KEY, window.location);
        location.assign(e);
    }
};

Secure Fix

// Replace "*" with explicit origin:
postMessage(location.href, window.location.origin);

// Or validate against allowed origins:
const ALLOWED_ORIGINS = ['https://secure.unico.io', 'https://app.unico.io'];
if (ALLOWED_ORIGINS.includes(window.opener?.origin)) {
    window.opener.postMessage(location.href, window.opener.origin);
}

HackerOne Report #3519772 | Researcher: rcarpi | For authorized security testing only.