Skip to main content

Oauth token validation bug in Facebook


This is my first blog post. I started bug hunting on Facebook from 2016 and got listed in Facebook's  Hall of Fame of 2016 and 2017 for finding various bugs. I thank all the people who supported me till here especially my best friend Shaila. I will be posting my findings/thoughts here.

 Bug :Validation missing in "oauth_token"("facebook.com/twitter" end point) allows an attacker to link his twitter account to victim's page even after victim removes attacker's admin role on victim's page.

The end point "https://www.facebook.com/twitter/?setup=1" allows a user to link his account/page to a twitter account.


To link a page to twitter account, you need to go to this url and click on the "Link to Twitter" button which will generate a url which look like "https://twitter.com/oauth/authorize?oauth_token=Z2lV-AAAAAAAADeMAAABW9-WtA8"
Once the user clicks on Authorize app, the account/page selected will get linked to the twitter account.
The intersting fact here is that, Twitter OAuth doesn't implement state parameter and their tokens never expire.
To know more about OAuth and to know how it works. refer https://en.wikipedia.org/wiki/OAuth

Now, the bug scenario is like below.

  • A and B are admins of a page where A is the attacker and B is the victim.
  • A tries to link the page to twitter and gets the url containing oauth token(eg:https://twitter.com/oauth/authorize?oauth_token=Z2lV-AAAAAAAADeMAAABW9-WtA8)
  • But A just keeps this url without using it
  • B removes A's admin role from the page.
  • Now A does not have admin access to the page
  • As A has lost admin access to the page, A cannot link the page to any twitter account.
  • But what if A can make B to link the page to A's twitter account? :P
  • A opens the previously saved url and uses burpsuite and captures the return url which will look like "https://www.facebook.com/feed/export/service_landing.php?service=1&oauth_token=7rKYwgAAAAAAADeMAAABWm0_rvA&oauth_verifier=zvr1Njy9Y6y3FYC48Gu5kMA4UzCmeNe0"
  • A sends this url to victim as a message or makes victim to open this url.
  • When victim opens the url, victim's page will get linked to A's twitter account.
Here, An attacker was able to re-use the token even after loosing admin access to that page.
Reported this to Facebook and got a nice bounty :)





This made my name to get listed in Facebook's  Hall of Fame 2017 as well

Let me know your thoughts on this :)

POC Video




                           Vimeo link: https://vimeo.com/216341548 




Report timeline

22th February, 2017 - Bug Reported
28th February, 2017 - Asked for more clarification.
28th February, 2017 - Provided more clarification
28th February, 2017 - Arthur confirmed the bug and sent to product team.
6th March, 2017 - Issue has been resolved and asked to confirm
16th March, 2017 - Bounty awarded.

Comments

  1. Sadhana25 April 2020 at 02:23

    If you don’t have time to read the entire topic and just want to find out what the Best stock For long-term investment. Here is for you...
    Manappuram Finance private placement
    RIL group
    Zoom app
    Sundar Pichai compensation

    ReplyDelete

Post a Comment

Popular posts from this blog

How I could have hacked Facebook Analytics to view any Facebook page's Analytics- $7500

Hi, This post is regarding one of my findings in Facebook which could have allowed anyone to view the Facebook Analytics of any Facebook page without having any roles on the page. Bug:  Bug in Facebook Analytics which allows an attacker to view analytics of any Facebook page without having any roles on the page. POC Steps The API call to create an event source group is like below. "GET /v2.10/1234/event_source_groups?"  where "1234" is the business account id and it accepts the parameters,  name and  event_sources  . The parameter  event_sources  can contain the id of page,app,pixel or offline event set. After some testing, I found that while adding a page object as an event source, there are no security checks at this end point to check whether authorized user is making the request or not. In addition to this, I found other two end points as well which is vulnerable. 1)While making a POST request to an existing event source group. 2)At the "e
3 comments
Read more

How I could have made your products Out of Stock in Facebook Pages!

Hi, This post is regarding one of my findings in Facebook which could have allowed anyone to toggle the stock status of products created by admins of a Facebook page. Bug: Toggling the stock status of Products created by any Facebook page without having any  roles on the page POC Steps Page admins can create/manage Facebook products on their page. There are options available for the admins to mark a product as "In Stock" or "Out of Stock" by sending a POST request to the endpoint "/pages/content_tab/products/update_inventory/?" This endpoint accepts the below three main parameters.   av: the page id   product_group_ids[]: An array of product group ids for batch update.   inventory_in_stock : true or false(In Stock or Out of Stock) Security checks were missing at this endpoint which allowed me to change the stock status of any product group id. Now, to exploit this vulnerability, we need the product group id of victim's product. The pro
1 comment
Read more

Setting up tests for any App or Pixel using Facebook's Test and Learn feature

Hi, This post is regarding one of my findings in Facebook which could have allowed anyone to set up tests for apps/pixels to which he does not have any roles/access. Bug: Bug in Facebook's "Test And Learn" Feature which allows an attacker to set up tests for apps/pixels to which he does not have any roles/access and to view the test results. POC Steps Users can setup tests from the url  https://facebook.com/test-and-learn/?act=12345 where 12345 is ad account id.(Refer https://www.facebook.com/business/help/1575448755848995) The bug was in the 2nd test option "How many conversions are all my Facebook ads causing?" Click on "Set up Test", enter a test name and select any of your apps/pixel as the event source and select the schedule. The API call to setup a test is like below. "POST /v2.10/me/ad_studies?"  There were no security checks at this end point to check whether authorized user is making the request or not. In this reques
4 comments
Read more