Facebook OAuth 2.0 Misconfiguration

3 years ago 154
BOOK THIS SPACE FOR AD
ARTICLE AD

Intro

If you had been following my cybersecurity articles, you already know that I don’t like to hunt on Facebook but every now and then their bugs just get in my way. This one, in particular, is one of those vulnerabilities.

What is OAuth?

OAuth is a commonly used authorization framework that enables websites and web applications to request limited access to a user’s account on another application, in this case, Facebook. Granting access without exposing login credentials to the requesting application. Users can decide the amount of data to share rather than giving full control of their accounts to a third-party application. Applications might use OAuth to request access to your email contacts list and use it to suggest people to it. However, this same mechanism can be used to provide third-party applications authentication services, allowing users to log in with an account that they have with a different website.

Note:

OAuth 2.0 is the current standard, some websites still use the legacy version 1. OAuth 2.0 was written from zero, not off OAuth v1. As a result, they are very different.

OAuth Misconfiguration

While browsing the web, you’ve almost certainly come across sites that let you log in using your Facebook account. Most of the time, this feature is built using OAuth 2.0 framework. This framework is of high interest for Bug Hunters because it is inherently prone to implementation mistakes. Which can result in several vulnerabilities, allowing Hunters to obtain sensitive user data or bypass authentication.

Vuln.com

After testing almost everything on this site, I found an OAuth Misconfiguration on vuln.com, and here is how to reproduce it.

STEPS:
1. Log in to Vuln.com using your Facebook personal account option.

2. Open your Facebook account > go to settings >delete and revoked any permission to Vuln.com in the Facebook control Apps panel.

3. At this point, your section should get sign out of your Vuln.com account intermediately (Well, for Vuln.com this is not the case)
After removing the app from your Facebook account, you still can use Vuln.com and even modify any information on that profile

Reporting the vulnerability 1.0

After I sent in the first part of my report, I also found out about this part below here.

Reporting the vulnerability 2.0

Weeks went by and I waited for a response, but to my big surprise this was the outcome and my luck, an duplicate of many on my collection.

Conclusion

I want to point out that I found this bug just out of luck. After testing the app for any vulnerabilities, and giving up to test a new one. I didn’t want to let it sit there and just have access to my Facebook account data. After revoking the app, I noticed that the app was still having access to my Facebook account, which is why I sent in the report. As you can see from the steps, this is a very easy find. Try it, you never know.

Read Entire Article