BugBounty: Account Takeover via Facebook Oauth
Hi everyone, hope you all are doing good. I have not posted for a while because of my college exams and stuffs. So in this post, we are going to see how i found a misconfigured facebook oauth which allowed me to register with literally anyone’s account.
So….Let’s Begin :)
So first of all let’s know a little bit of Oauths.
What is Oauth?
Have you ever seen a webpage where you can register via facebook or google or any other service? If yes, then you already know the use of Oauths.
In simple terms, Oauth is a functionality in web applications that allows users to register or login via a third party website(example: Facebook, Google,Apple,Twitter etc)
How it works?
Here is one simple example of demonstrating the working of oauth:
So whenever you click on “Login with Facebook” or anything else, this is what happening behind the scenes:
1- The Web application sends a request to the server(let’s say google.com).
2- The user then click on his/her google account.
3- The google server verifies the credentials and sends a access token code back to the web application.
4- The web application verifies the token and finally you get logged in or registered. (This is where i found the vulnerability)
So that’s all about Oauth…if you want to know more about oauth, please visit the link below..i am not going to explain a lot about oauth since it will it will increase the length of this article.
For depth understanding, Please visit: https://www.varonis.com/blog/what-is-oauth/
So let’s get started
ABOUT THE VULNERABILITY:
So i was just hunting on a private program(let’s say hackedprogram.com) and i don’t know why but i started right on the main domain
The first thing which i do is to look for authentication functionalities(like login, register and oauth) and password reset functionality.
I then started testing the register functionality and found the following:
1- We can register via the old method(By filling form)
2- We can use Facebook Oauth.
At first i tried to find something in the normal registration method(via forms) but i didn’t find anything good..then i moved to test the Facebook Oauth implementation.
And this is what i found:
1- When the facebook server sends the code to the web application, the sever then uses a email and name parameter to add the user to its database.
2- The name and email parameter and not being validated properly at the sever side.
Knowing these two thing, I started to register again using the oauth functioanlity, but this time i change the name and email parameter to Hacked Account and firstname.lastname@example.org respectively.
And after forwarding this request, I got the following response:
And now, for the confirmation
After this i was like:
And finally, I reported this vulnerability to the company.
1- Always test each and every functionality of the web application.
2- Sometimes, just follow your instincts.
3- Deeply analyze the working of each functionality.
4- And my favorite, Follow the road less traveled ;)
So that’s it for this article, Hope you guys learnt something new and interesting. :)
And let me tell you one thing
You can follow me on:
UPDATE: If anyone who is interested in hacking windows with just python then they can enroll the course below for free! Just use “FEBHACK” in the coupon.