@zseano
UK Security Researcher



A site containing various blog posts, tutorials, tools and information regarding working with me.

@zseano
UK Security Researcher



A site containing various blog posts, tutorials, tools and information regarding working with me.



Tutorials Blog Posts Tools Contact Information



Open URL redirects to grab FB OAuth Tokens

Read more blogs on BugBountyForum

II haven’t blogged in a while, apologies. A lot of companies i’m currently working with requested I sign an NDA to continue working with them, and I respect that decision.

This post will talk about how a simple open url redirect can be used to harvest FB Oauth tokens (useful for getting users emails since most apps you’ve allowed have already requested this permission).

Let’s take a look at AutoTrader OAuth. They have mis-configured their Oauth login system so *.autotrader.co.uk will be accepted. Bad move AutoTrader.

image

So let’s say you’ve already allowed the AutoTrader app (they give you the option to “Sign in with Facebook” on the Signup/login page. If you’ve already allowed it you wouldn’t see the above screenshot, it would instead just redirect). The dialog looks geniune enough, right? Wrong.

image

Upon pressing Continue (or just visiting the URL if you’ve previously allowed it) redirects you to google with your access_token in the address bar. So now, how do we do this?

Let’s say for example we have http://www.site.com/go.php?id=1&url=http://www.google.com/ - using this URL on the FB Oauth login flow will fail.

https://www.facebook.com/dialog/oauth?client_id=1&redirect_uri=http://www.site.com/go.php?id=1&url=http://www.google.com/&response_type=token

But.. if you URL encode the URL so it turns to

https://www.facebook.com/dialog/oauth?client_id=1&redirect_uri=http%3A%2F%2Fwww.site.com%2Fgo.php%3Fid%3D1%26url%3Dhttp%3A%2F%2Fwww.google.com%2F&response_type=token

Then Facebook will redirect to the destination supplied in &url= along with the token. I'm not if this is a flaw in the oauth system or how it’s designed, who knows.. but I have mentioned to Facebook in the past that they could enforce hard-coded whitelisted urls more.

More often than so you can achieve account takeover once you've obtained a users access_token. Most sites (mostly via mobile apps) allow you to "Login via Facebook", and usually the verification method is the access_token!



Lessons to learn as a company/coder: Open URL redirects may seem harmless and not a vulnerability, but you should be careful with that view as i’ve just proven using a “harmless” open url redirect can be used to harvest emails from your FB users.
Lessons to learn as a user: Be careful what apps you allow. I highly recommend using a different email for your Facebook so you receive less spam.

Note: I’ve sent over ~10 vulnerabilities to AutoTrader and their attitude to bugs is ignornant. They don’t offer any type of hall of fame, swag or reward, and they also go quiet very quickly. I’ll alert them of this Open url redirect, but it took a month of pestering to get them to fix multiple XSS vulns.