Results 1 to 1 of 1

Thread: Pwning Facebook accounts, taking a little help from Quora Share/Save - My123World.Com!

  1. #1
    Webapp Secninja
    Join Date
    Aug 2012
    Ranchi, Jharkhand
    Blog Entries

    Cool Pwning Facebook accounts, taking a little help from Quora

    I want to share the details of a redirection flaw, which I found on Quora, an extremely popular Q/A website, possessing Alexa rank of around 800 worldwide and how someone can exploit the issue to hack Facebook accounts.

    So, let's come to the topic. While doing sign-up for Quora website, I preferred using Facebook Connect which gives "limited" access to my account to Quora, so that website can fetch necessary details from my Facebook account for registration. I noticed domain was permitted to receive the access_token from Facebook OAuth, any other domain other than would result in a failure of that request. See below

    Name:  origin.jpg
Views: 1282
Size:  60.4 KB

    Cool, I needed to find an open redirection inside the to steal the access_token of any Quora user who signed-up using Facebook and has App enabled.

    Luckily I found a redirection issue in the contacts import page itself. The redirector was like:

    So this link would redirect to, accordingly I can redirect users to any domain of my choice.

    Now I made a script that would save the token from URL into a file and redirect [unsuspecting] user to Facebook homepage. It was located at

    To make it a working exploit I needed these:

    1. A Facebook OAuth authorization URL requests token permission from the user, but as user will have Quora App installed, it will redirect to value specified in next parameter of OAuth authorization URL with a valid access_token.

    2. As discussed we know next can be any page/resource under So next parameter must be set to ,when redirection happens the token is first sent to (allowed domain) then another redirection [open redirection] moves the token to where my script will do its job.

    Final OAuth authorization URL that would steal the access_token looks like ://

    Once the vicitm who has Quora App installed (or in other words, signed-up via Facebook) visits the above link, his token would get stored and he'll be redirected back to Facebook, as if nothing has happened.

    Using the stolen access_token I can, for example publish a status on victim's profile.

    Name:  publish.jpg
Views: 1249
Size:  7.6 KB

    Quora App has 500,000+ monthly users on Facebook.So, all of them were at risk!

    Name:  quora_app.jpg
Views: 971
Size:  7.1 KB

    Here's the video demo :


    8th June 2013 - Vulnerability Found
    9th June 2013 - Vulnerability Reported
    13th June 2013 - No Reply from Quora
    13th June 2013 - Another notification sent to Quora staff member, got a reply acknowledging the issue
    14th June 2013- Fix issued on Quora, public disclosure
    Last edited by prakhar; 06-14-2013 at 04:02 AM.
    Hacking Wacking Sab Moh Maya Hai
    To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts