Thursday, February 21, 2013

How I Hacked Facebook OAuth To Get Full Permission On Any Facebook Account (Without App "Allow" Interaction)

Hi,

I decided to share one of my favorite flaws i discovered in  facebook.com, 
This flaw allowed me to take a full control over any Facebook account,
  
By exploiting this flaw I could steal unique access tokens that provides me full control over any Facebook account,
   
just to clarify there is no need for any installed apps on the victim's account, Even if the victim never allowed any application in his  Facebook account, I could still be getting full permissions (This bug works on any browser)

To make this exploit work, The victim only need to visit a webpage,
So OAuth is used by Facebook to communicate between Applications and Facebook users, Usally users must allow/accept the application request to access their account before the communication can start.

Any Facebook application might ask for different permissions,

For example: 

Diamond Dash,Texas Holdem Poker only have permission to basic information and post on user's wall,



I found a way in to get a full permissions (read inbox, outbox, manage pages, manage ads, read private photos, videos,etc..) over the victim account even without any installed apps on the victim's account, 
Another advantage in the flaw I found is that there is no "Expired date" of the Token like there would be on any other application usage, In my attack the token never expires unless the victim change his password :),
    

Every application in Facebook have different app_id, For example 'Diamond Dash' will be app_id=2, And 'Texas Holdem Poker' will be app_id=3

The next,redirect_uri parameter (next=,redirect_uri=), only accepts the owner app domain,
For example app_id=2389801228 belongs to 'Texas Holdem Poker' app, So the 'next' parameter will allow only zynga.com domain (i.e next=http://zynga.com), 
If the domain is different (nirgoldshlager.com) in  the 'next', 'redirect_uri' parameter, Facebook will block this action,




Facebook perform match between your app_id and your next parameter, Facebook also sends the access token via GET request to the owner application after the user allowed it,
Now that we know how Facebook OAuth works, Lets talk about my finding, 
I started to think of my options, what if i can redirect the application OAuth Request to a different 'NEXT' URL?? First i tried to change the 'next' parameter to a different domain and they block my action,
Then  i tried to change the next parameter to facebook.com domain, and got blocked again with general error message,




I found that if you use a sub-domain for example: xxx.facebook.com, Facebook will allow this action,
But if you try to access folders / files in x.facebook.com (x.facebook.com/xx/x.php), Facebook block you,
So i notice that facebook.com use a Hash sign and ! in there URL (x.facebook.com/#!/xxxx),
I tried to perform this action in the next parameter (next=x.facebook.com/%23!/), And Facebook blocked me again!,
Then i tried to put "something" between the hash sign and the ! (%23x!), And Facebook didn't block this action,
Seems that there is a Reg-ex protection, Cool!,

But wait!,

If we put something like this (https://beta.facebook.com/#xxx!/messages/), the action will not treat at is the same as #! in our client, and will not redirect us to the message screen,
I figured I had to find a way around it, so I started to fuzz characters between ! and # so I can make any browsers (IE,CHROME,Safari, Firefox..) treat it like #!,   
 
Now it's time for fuzzing!,
    
Result:
    
%23~!   (Works on all browsers) 
%23%09! (Works on all browsers)
     
Cool!, this trick works on touch.facebook.com/#%09!/,m.facebook.com/#~!/, or any other Facebook mobile, touch domain),
  
So Now I'm able to redirect the victim to any Files / Directories in any Facebook Sub-domain,
Then i created a Facebook application that will redirect the victim to external website for sending the access_token of the victim to my "malicious" external website, 

For Example: (Zynga Texas Holdem OAuth Bypass):
And my Facebook application will redirect to files.nirgoldshlager.com domain and save the victim access_token in a log file (files.nirgoldshlager.com/log.txt),

Amazing!, Now I'm able to steal access tokens of any Facebook application,

But wait!!!, 


HERE COMES THE REAL DEAL: 

To make a successful attack, the victim need to use a Facebook application (Texas Holdem Poker, Diamond Dash, etc..),
And these applications only have a basic permissions, We can always change the scope of the application permission and set a new permission but this method not powerful, Because the victim need to accept the new permissions of the app (https://www.facebook.com/connect/uiserver.php?app_id=2389801228&next=http://zynga.com&display=page&fbconnect=1&method=permissions.request&response_type=token&perms=ads_management%20create_event%20create_note%20email%20export_stream%20manage_friendlists%20manage_groups%20manage_notifications%20manage_pages%20offline_access%20photo_upload%20publish_actions%20publish_checkins%20publish_stream%20read_friendlists%20read_insights%20read_mailbox%20read_page_mailboxes%20read_requests),





I wanted something more powerful!,

Something that will give me full permissions (read inbox, outbox, manage pages, manage ads,access to private photos, videos, etc.) on the victim's account without any installed application on the victim and make Facebook do the Goldshake ;),

So i started thinking 
How this can be done?,
What if i will use a different app_id?? app_id of Facebook Messenger for Example,
Does the user need to accept Facebook Messenger app in his Facebook account?,

The answer is no,
There are built-in Applications in Facebook that users never need to accept , And this application have a full control on your account,
Also i found that this access_token never expired in Facebook messenger,



Only after the victim change his password, Then the access_token will be expired, But why the hell the user would change his password?,

PoC (Works on all browsers, No need for installed application on the victim account) :

https://www.facebook.com/connect/uiserver.php?app_id=220764691281998&next=https%3A%2F%2Ftouch.facebook.com%2F%23~!%2Fapps%2Ftestestestte%2F&display=page&fbconnect=1&method=permissions.request&response_type=token

Facebook Security Fixed this bug

Full description of permission for Facebook messenger app:

ads_management create_event create_note email export_stream manage_friendlists manage_groups manage_notifications manage_pages offline_access photo_upload publish_actions publish_checkins publish_stream read_friendlists read_insights read_mailbox read_page_mailboxes read_requests read_stream rsvp_event share_item sms status_update video_upload xmpp_login

Works also on 2 step verification accounts, When it came to access_token , 2 Step verification will fail.

And???,



PoC Video:



How I Hacked Facebook OAuth To Get Full Permission On Any Facebook Account from Nir on Vimeo.





Cya Next time!,


20 comments:

Bruno said...

Great post. I wish i had more time to go after these OAuth flaws. :)

homakov said...

great finding especially using pre-installed app! Facebook should fix and remove auto installed apps

Muhammad Usman said...

Nice Work Man :)

mohamed said...

i will use that to hack Facebook accounts :p

Subhash Dasyam said...

Good Find :) like the way you think

NoTty_rAJ said...

Nice Find Bro Appreciated

Unknown said...

keep it man.

Adriel said...

Nice work man, wait till facebook security track you down and hire you. lol. keep up.

diya said...

very nice.. i lyk ur way of thinking..

MaXe said...

Heh, video is removed, how lame! It's this kind of attitude in the world, that makes people think hacking is a crime when it's clearly not illegal to hack Facebook as long as you follow their rules defined within the bug bounty program, which you did. Ignorance is bliss

Nir Goldshlager said...

Thanks,

Yeah YouTube removed my PoC Video for some reason,

Anyway i upload it again via Vimeo,

Anonymous said...

Sweet :)

[FVR] Clan said...

You are the best.. I come from trying to do this in a while and never can get the automatic token.. Congrats genius..

Anonymous said...

good read man! and good job.

Unknown said...

hey man, i have the same issue in my oauth2 implementation... do you know how facebook fixed this bug?

Anonymous said...

Cool ! Nice work there.

Yasinepd said...

can we do this :D ?

Hackerkepzes.hu said...

Impressive hack, congrats!

Krishna said...

How did you get facebook messager app_id and access token?

John said...

so can i request you to do this with a guys Facebook?

Post a Comment