Skip to main content

Posts

Showing posts from April, 2017

Meh : CSRF in Facebook Delegated Account Recovery

Note this is going to be a quick post. This year, at Enigma 2017 Conference , Facebook introduced a way to move Account Recovery beyond Email and the "Secret" Question . After the presentation the moved operationally and presented the first integration partner : Github . These days I have seen a lot of press around this and both Facebook and Github open sourced their implementation and s pecification (also presented at F8 ). Well it turned out that Facebook side was susceptible to Cross Site Request Forgery. Really simple explanation: The attacker start the integration with Github and stop the flow at the right moment.  The create an attacker page as https://github.com/asanso/asanso.github.io/blob/master/facebook/test_fb.html <html> <img src="https://www.facebook.com/recovery/delegated/save/?fr=OkpK%2FnF9oZk%3D& relay_token=AfFdhnFYiPWXlcS17dG19Tz4sJT%2B%2FzBorBbDwEKgNMvxUHRIqMAnmmEGrGZlMheUfJdNHv40xyraKOfj64fR7ZgZ8HNNmincyRiHdu6Nju

CSRF in Facebook/Dropbox - "Mallory added a file using Dropbox"

tl;dr   Facebook Groups offers the option to upload files directly from the Dropbox account. This integration is done using the OAuth 2.0 protocol and suffered from a variant of the classic OAuth CSRF (defined by Egor Homakov as the the Most Common OAuth2 Vulnerability ),  see video below: Introduction  Facebook Groups offers the option to upload files directly from the Dropbox account: This will allow to surf via browser the Dropbox account  and post a specific file to the group.  This integration is done using a variant of the OAuth 2.0 protocol seen in this blog many many times . But once more, OAuth is an access delegation protocol standardized under the IETF umbrella . A typical OAuth flow would look like: From “OAuth 2 In Action” by Justin Richer and Antonio Sanso, Copyrights 2017 Usually the client initiates the OAuth flow in the following way: From “OAuth 2 In Action” by Justin Richer and Antonio Sanso, Copyrights 2017