BugBounty: Account Takeover via Facebook Oauth

Hi everyone, hope you all are doing good. I have not posted for a while because of my college exams and stuffs. So in this post, we are going to see how i found a misconfigured facebook oauth which allowed me to register with literally anyone’s account.

So….Let’s Begin :)

So first of all let’s know a little bit of Oauths.

What is Oauth?

Have you even seen a webpage where you can register via facebook or google or any other service? If yes, then you already know the use of Oauths.

In simple terms, Oauth is a functionality in web applications that allows users to register or login via a third party website(example: Facebook, Google,Apple,Twitter etc)

How it works?

Here is one simple example of demonstrating the working of oauth:

So whenever you click on “Login with Facebook” or anything else, this is what happening behind the scenes:

1- The Web application sends a request to the server(let’s say google.com).

2- The user then click on his/her google account.

3- The google server verifies the credentials and sends a access token code back to the web application.

4- The web application verifies the token and finally you get logged in or registered. (This is where i found the vulnerability)

So that’s all about Oauth…if you want to know more about oauth, please visit the link below..i am not going to explain a lot about oauth since it will it will increase the length of this article.

For depth understanding, Please visit: https://www.varonis.com/blog/what-is-oauth/

So let’s get started

ABOUT THE VULNERABILITY:

So i was just hunting on a private program(let’s say hackedprogram.com) and i don’t know why but i started right on the main domain

The first thing which i do is to look for authentication functionalities(like login, register and oauth) and password reset functionality.

I then started testing the register functionality and found the following:

1- We can register via the old method(By filling form)

2- We can use Facebook Oauth.

At first i tried to find something in the normal registration method(via forms) but i didn’t find anything good..then i moved to test the Facebook Oauth implementation.

And this is what i found:

1- When the facebook server sends the code to the web application, the sever then uses a email and name parameter to add the user to its database.

2- The name and email parameter and not being validated properly at the sever side.

Knowing these two thing, I started to register again using the oauth functioanlity, but this time i change the name and email parameter to Hacked Account and victimaccount@gmail.com respectively.

And after forwarding this request, I got the following response:

And now, for the confirmation

After this i was like:

And finally, I reported this vulnerability to the company.

Takeaways:

1- Always test each and every functionality of the web application.

2- Sometimes, just follow your instincts.

3- Deeply analyze the working of each functionality.

4- And my favorite, Follow the road less traveled ;)

So that’s it for this article, Hope you guys learnt something new and interesting. :)

And let me tell you one thing

You can follow me on:

Twitter: https://twitter.com/FaIyaZz007

Linkedin: https://www.linkedin.com/in/faiyaz-ahmad-64457520b/