Results 1 to 3 of 3

Thread: Facebook Custom Audiences OAuth 2.0 Redirect URI Bypass Share/Save - My123World.Com!

  1. #1
    Webapp Secninja
    Join Date
    Aug 2012
    Ranchi, Jharkhand
    Blog Entries

    Cool Facebook Custom Audiences OAuth 2.0 Redirect URI Bypass

    I am sharing one of my findings that I submitted to Facebook's Whitehat program earlier this year.

    Facebook Ads Manager provides a sort of integration with MailChimp, to fetch data to Facebook Ads Manager.The application is a part of MailChimp website, it works on MailChimp OAuth 2.0 implementation and is purely developed by Facebook Developers. So once the MailChimp user authorises the application, it will send MailChimp data to Facebook Ads Manager.

    OAuth Authorisation URL for Facebook Custom Audiences is/was: 7& s%2Fmanage%2Fcontact_importer_auth%2F

    I tried to play around with redirect_uri to hijack the control flow, via different techniques but failed.I moved and started fiddling around the MailChimp OAuth 2.0 specs, I discovered something interesting, the specs talks about wildcard redirect_uri.

    So, I gave a second thought what-if Facebook had their redirect_uri misconfigured to * instead of I tried a few requests such as the following and all worked: 77& derp%2F 7& lahblah%2F

    So, basically I can tamper the redirect_uri and hijack the OAuth flow to [controlled] Moving on, it's evident that Facebook hosts 3rd party applications under, using this a redirect url can be constructed which will point to a malicious 3rd party that will steal the MailChimp access_token using this Facebook Custom Audiences Application.

    Final Attacking Steps would be:

    1. Attacker sends Facebook Custom Audiences OAuth link with tampered redirect_uri to the victim: 77& attacker%2F

    2. Victim Authorises the MailChimp application

    3. Attacker receives access_token using his malicious app hosted at

    Facebook has fixed the vulnerability by restricting redirect_uri to and rewarded this bug.

    Proof of Concept:

    - Prakhar Prasad
    Last edited by prakhar; 07-13-2014 at 03:01 PM.
    Hacking Wacking Sab Moh Maya Hai
    To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.

  2. #2


    hi bro, Its great if you kindly upload a video or give any tutorial for this type of by pass, for learning I understand 50 50 so I am confused... Kindly upload a video.. I am very thank full to you

  3. #3

    Thanks bro

    Thanks Bro...
    for sharing...
    Bro can you share more videos liks this?
    its great fro learning...

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts