1v1 me n00b

OK so if you've been on the internet long enough, there's a good chance that one of your emails has been leaked and circulated amongst amateur scammer groups. I am no exception. Today I got sent an email stating that my 1password subscription had expired. Man, I don't even use 1password (or do I? That's for you to decide.).

It's been a fat minute since I've done a cyber side-quest, so I figured it was time to bust out the ol' kali box and get to work.

Initial Recon

Firstly we see postmark as the email sender system (will have to report to them). Seems to be the latest and greatest spammer trend. The initial email link had a redirector which sent me off to the 1passvword-account[.]com website. Nothing to note on the DNS front. We'll send an abuse complaint to the registrar later. I don't wanna do historical WHOIS analysis because that takes a lot of time.

Naturally we've got the letsencrypt certificate... I guess we will have to send an abuse report to them too. Judging by the CT Log, the website was completely fresh... Woah wait, this might mean we are the first "victim" to visit the website! I wonder if the developer is still working on it.

Analysis

After opening up burp suite, it was time to start probing. After being redirected, the website shoved me to a /verify endpoint where a fingerprinting script would be ran. When I initially started the verification process, the verification process would fail due to the JS sending a malformatted POST request containing browser fingerprint information. One cache miss later, the website stopped failing on it's own accord. Wait what!? Is the TA updating the website live as I am probing it? Yup! After discovering this, I figured that I shouldn't be "going loud" immediately. Instead I just sat there and hit refresh.

At the first refresh, I got a verification failure because the TA didn't code fingerprinting JS post request properly.
At the second refresh, the JS code was updated, but the website failed to verify because my screen resolution wasn't acceptable.
At the third refresh, I was able to get passed the screen resolution verification (without changing anything) but the website failed my verification because my IP was blacklisted.

Man, the TA is modifying the verification system live so that I can use their website, how sweet of them ♥️.

After rotating my IP address, I got passed the verification endpoint.

OK so its time to send some stuff to the TA to reward their good behavior. After going through the submission behavior, I documented the flow for logging in

After hitting continue, the the website goes and verifies the email against a stateless verifier endpoint.

After this, the website starts asking for the full account credentials.

Ehhh? what's the secret key format? Well the TA was nice enough to *not* obfuscate the source code, so we can see the regex check pretty clearly :)

After hitting send, the website submits the credentials to the backend, where it would reply with a success/failure

A key thing which I had noticed however is that it took nearly 20 seconds for the endpoint to reply. I was getting dejavu with Russian steam hijacking websites because their final stage also usually took a while to spin up a verification session. With this, I made the assumption that the backend was likely verifying against 1password's legit infrastructure to test the credentials provided.

At this point, it was time to start going loud. I was sure that the TA had noticed my faux credentials and would likely be tipped off that something suspicious was going on.

Going Loud

What's our favorite thing to do when we find a phishing website that is completely unprotected? You should know the answer.

OKAY, so first things first was to spin up feroxbuster and go ham. Feroxbuster returned empty handed and so did ZAP proxy. After setting up a burp intruder to flood the collection endpoint, I had noticed that the website's functionality had... changed. The /verify endpoint was no longer there. As well as this, the /login endpoint no longer gave a fail state, it just hard redirected to the legit 1password.

Idk what bro was thinking but removing those live wasn't doing much.

Then the nuke dropped on the TA. I found out that the website was vulnerable to some limited LFI. I immediately pulled as much as possible, most notably the server's source code - server.js. Jackpot.

The TA immediately started panicking and began to nuke the infra.

First, the TA nuked the DNS records, resulting in some temporary disruption to my activities.

Unfortunately, the dumbass forgot to restrict direct IP address, so I just continued my work using direct IP.

After probing around for a while, the TA once again got smart and nuked the webservices on port 80 and 443. Damn.

Did I give up? Nope. I opened up NMAP and noticed that port 3000 was open. Surely this commonly used dev port doesn't have an instance of the website running right?

Back at it LMAO. I continued to probe until the TA started adding my proxy's ASN to his blacklist.

So I rotated my IP to Japan and once again I was back at it. At this point the TA had secured the LFI.

After spamming slow HTTP headers and the /login endpoint with bogus data, the TA had had enough and port 3000 was finally closed off.

I proclaimed my victory and reported the site to 1pass. To the TA, if you are reading this, you seriously need to up your game, this is very amateur. You cannot get away with vibe coding phishing sites in the big 2026. Oh, and you're welcome for the free amateur pentest.

I am leaking the server.js source code, it can be found here, but I will be gatekeeping the leaked API keys for myself :).

I somehow don't think this fight is over, but you can bet your ahh that I will be back if I get another phishing email.

Google Sites

Report abuse