OAuth is an open standard for authorization, commonly used as a way for Internet users to log in to third party websites using their Microsoft, Google, Facebook, Twitter, One Network etc. accounts without exposing their password.
Misconfigured OAuth setting could lead to Account take-over, CSRF attack and Token leakage(code and access token). Visit http://www.oauthsecurity.com for more list of OAUTH attacks. This blog post is about facebook Misconfigured OAuth setting that has a security impact on its users. The bugs were reported, and Facebook had mitigated the bugs Before I disclosed it.
- Bypass moves oauth 2 redirect_uri
- Leak mailchimp access_token via open redirector
- Cross-site request forgery on OAuth Clients(Modifies Victim’s spotify playlist Via CSRF)
0x01-Bypass moves(Facebook Aquisition) oauth 2 redirect_uri
I created an OAuth application which registered redirect_url is https://www.google.com/, so it authorization_uri must not be
But when I changed the redirect_uri to this
https://www.google.com.ph (appends .ph suffix domain on moves redirect_uri). Surprisingly, it works :) Besides the redirect_uri can also be bypassed via
/../../. for example, if the redirect_uri is
https://www.google.com/app/url change the redirect_uri to ` https://www.google.com/app/url/../../ `
The flaw could be used to leak access_token of victim user to attacker’s domain.
According to the OAuth 2 documentation, the redirect_uri must be equal to registered redirect_uri http://tools.ietf.org/html/rfc6819#page-62
0x02 - Leak mailchimp access_token via open redirector
Facebook sends email notification about saved link of the user every week. If the user clicks any link in his email notification, the browser will be redirected to facebook.com then redirect to the original link without the use of Facebook linkshim. It seems this is an Open redirector bug.
The vulnerable parameter is
object_id, we can get the
object_id in https://www.facebook.com/saved/?cref=38 when we use using this endpoint
In the exploitation part, I used the open redirect of facebook to leak access_token of MailChimp OAuth. Facebook Ads Manager https://www.facebook.com/ads/manage/?act=109060336 can import MailChimp customer data by using OAuth 2. I have found there is no restriction of redirect_uri value in MailChimp OAuth (Covert Open redirect), so we can abuse the open redirect vulnerability of facebook to leak the access_token of the victim user.
Step of Reproduction
- Go to your profile then post a link (link to malicious site)
- save the link by clicking the dropdown button on upper right of a post then click the
- now you need to use your
object_idof the link.
- The final open redirect PoC must be
- Use the
final open redirect PoCas
redirect_uriof mailchimp oauth 2 i.e.
0x03 - Cross-site request forgery on OAuth Clients(Modifies Victim’s spotify playlist Via CSRF),
Facebook user can embed a spotify playlist on his facebook timeline by posting a spotify link such as this one
on that embedded playlist, user has an option to add that playlist on his spotify account by using oauth 2, facebok uses spotify oauth 2 to do that action.
I have found that facebook uses the spotify oauth 2 without using the state parameter of the oauth, according to OAuth 2.0 Threat Model and Security Considerations and spotify oauth documentation, the state parameter is used to prevent CSRF attack on oauth(see http://tools.ietf.org/html/rfc6819#section-3.6 and https://developer.spotify.com/web-api/authorization-guide/ -‘Your application requests authorization’). Because there is not csrf protection malicious user could make a csrf attack against facebook that updates victim’s playlist.
- post the link on your timeline
to generate the embbed playlist then copy the authorization url of spotify. This is the authorization url of spotify that uses by facebook
- now removed the
&show_dialog=trueparameter of the authorization url so the final url will be
- If the victim visits the PoC link, CSRF will be triggered
video Demonstration csrfonouathfacebookandspotify.mp4?dl=0