If anyone can Remember the last OAuth Flaw in Facebook that allows attacker to hijack any account without victim's interaction with any Facebook Application, was reported by white hat Hacker 'Nir Goldshlager'. After that Facebook security team fixed that issue using some minor changes. Now Yesterday Goldshlager once again pwn Facebook OAuth mechanism by bypassing all those minor changes done by Facebook Team. He explains the complete Saga of hunting Facebook bug in a blog post. So please must see.
What is OAuth Vulnerability?
Well OAuth URL contains two parameters i.e. redirect_uri & next, and using Regex Protection (%23xxx!,%23/xxx,/) Facebook team tried to secure that after last patch.
Actually He uses facebook.com/l.php file (used by Facebook to redirect users to external links) to redirect victims to his malicious Facebook application and then to his own server for storing token values, where tokens are the alternate access to any Facebook account without password.
But a warning message while redirecting ruin the show ! No worries, he found that 5 bytes of data in redirection URL is able to bypass this warning message.
Example: https://www.facebook.com/l/goldy;touch.facebook.com/apps/sdfsdsdsgs (where 'goldy' is the 5 byte of data used).
Now at the last step, He Redirect the victim to external websites located in files.nirgoldshlager.com (attacker server) via malicious Facebook app created by him and victim's access_token will be logged there also. So here we have the final POC that can hack any Facebook account by exploiting another Facebook OAuth bug and many more.
Latest News: This bug was also reported to Facebook Security Team last week by Nir Goldshlager and has fixed now. Thanks!
Join me on Google+
Respected Readers :-