Just a few weeks ago Nir Goldshlager released a OAuth vulnerability on Facebook. A security researcher Amine Cherrai has also found similar vulnerability on facebook that allowed hackers to get the access_token and full permissions of any account on facebook.
"As you may know, last month Facebook has closed many bugs leading to security reinforcement of 'redirect_uri' parameter and prevent hijacking attacks. One of these reinforcement were rejecting all 'redirect_uri' that has '#' or '#!'." Researcher wrote in his blog.
"While I was looking in the Facebook Javascript SDK I found something strange, I found that it uses http://static.ak.facebook.com/connect/xd_arbiter.php?version=21#channel=f876ddf24&origin=http://localhost&channel_path=/oauth/PoC_js/?fb_xd_fragment#xd_sig=f3adf0e04c&” as aredirect_uri and it’s not rejected… So I said let’s use it too!!!"
Amine successfully generated a poc that redirects to another facebook page with the access token. But he faced some problem while redirecting to external website.
Nir Goldshlager helped Amine by suggesting to redirect to an application in facebook then the application redirects to an external website instead of redirecting directly to an external website. After following the instructions from Nir Goldshlager, he successfully manged to generate a final redirect_uri.
POC video
Facebook has learnt from its previous lessons and is now fixing vulnerabilities as soon as somebody reports them,this Vulnerability has already been fixed.
"As you may know, last month Facebook has closed many bugs leading to security reinforcement of 'redirect_uri' parameter and prevent hijacking attacks. One of these reinforcement were rejecting all 'redirect_uri' that has '#' or '#!'." Researcher wrote in his blog.
"While I was looking in the Facebook Javascript SDK I found something strange, I found that it uses http://static.ak.facebook.com/connect/xd_arbiter.php?version=21#channel=f876ddf24&origin=http://localhost&channel_path=/oauth/PoC_js/?fb_xd_fragment#xd_sig=f3adf0e04c&” as aredirect_uri and it’s not rejected… So I said let’s use it too!!!"
Amine successfully generated a poc that redirects to another facebook page with the access token. But he faced some problem while redirecting to external website.
Nir Goldshlager helped Amine by suggesting to redirect to an application in facebook then the application redirects to an external website instead of redirecting directly to an external website. After following the instructions from Nir Goldshlager, he successfully manged to generate a final redirect_uri.
POC video
Facebook has learnt from its previous lessons and is now fixing vulnerabilities as soon as somebody reports them,this Vulnerability has already been fixed.