Results 1 to 3 of 3

Thread: Facebook Custom Audiences OAuth 2.0 Redirect URI Bypass Share/Save - My123World.Com!

  1. #1
    Webapp Secninja
    Join Date
    Aug 2012
    Location
    Ranchi, Jharkhand
    Posts
    41
    Blog Entries
    2

    Cool Facebook Custom Audiences OAuth 2.0 Redirect URI Bypass

    I am sharing one of my findings that I submitted to Facebook's Whitehat program earlier this year.

    Facebook Ads Manager provides a sort of integration with MailChimp, to fetch data to Facebook Ads Manager.The application is a part of MailChimp website, it works on MailChimp OAuth 2.0 implementation and is purely developed by Facebook Developers. So once the MailChimp user authorises the application, it will send MailChimp data to Facebook Ads Manager.


    OAuth Authorisation URL for Facebook Custom Audiences is/was:

    https://login.mailchimp.com/oauth2/authorize?response_type=code&client_id=11204107077 7&redirect_uri=https%3A%2F%2Fwww.facebook.com%2Fad s%2Fmanage%2Fcontact_importer_auth%2F

    I tried to play around with redirect_uri to hijack the control flow, via different techniques but failed.I moved and started fiddling around the MailChimp OAuth 2.0 specs, I discovered something interesting, the specs talks about wildcard redirect_uri.

    So, I gave a second thought what-if Facebook had their redirect_uri misconfigured to *.facebook.com instead of www.facebook.com. I tried a few requests such as the following and all worked:

    https://login.mailchimp.com/oauth2/authorize?response_type=token&client_id=1120410707 77&redirect_uri=https%3A%2F%2Ftest.facebook.com%2F derp%2F

    https://login.mailchimp.com/oauth2/authorize?response_type=code&client_id=11204107077 7&redirect_uri=https%3A%2F%2Fderp.facebook.com%2Fb lahblah%2F

    So, basically I can tamper the redirect_uri and hijack the OAuth flow to [controlled].facebook.com. Moving on, it's evident that Facebook hosts 3rd party applications under apps.facebook.com/appname, using this a redirect url can be constructed which will point to a malicious 3rd party that will steal the MailChimp access_token using this Facebook Custom Audiences Application.


    Final Attacking Steps would be:

    1. Attacker sends Facebook Custom Audiences OAuth link with tampered redirect_uri to the victim:

    https://login.mailchimp.com/oauth2/authorize?response_type=token&client_id=1120410707 77&redirect_uri=https%3A%2F%2Fapps.facebook.com%2F attacker%2F

    2. Victim Authorises the MailChimp application

    3. Attacker receives access_token using his malicious app hosted at apps.facebook.com/appname


    Facebook has fixed the vulnerability by restricting redirect_uri to www.facebook.com and rewarded this bug.


    Proof of Concept:



    - Prakhar Prasad
    Last edited by prakhar; 07-13-2014 at 03:01 PM.
    Hacking Wacking Sab Moh Maya Hai
    To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.

  2. #2

    Video?

    hi bro, Its great if you kindly upload a video or give any tutorial for this type of by pass, for learning I understand 50 50 so I am confused... Kindly upload a video.. I am very thank full to you

  3. #3

    Thanks bro

    Thanks Bro...
    for sharing...
    Bro can you share more videos liks this?
    its great fro learning...
    Thanks

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •