How researcher Hacked Facebook OAuth To Get Full Permission On Any Facebook Account


A Security Researcher Nir Goldshlager, has discovered a security flaw in Facebook that allowed him to take a full control over any Facebook account.

OAuth is used by Facebook to communicate between Applications and Facebook users, Usally users must allow/accept the application request to access their account before the communication can start. Facebook application might ask for different permissions.

According to researcher, the vulnerability gives a full permissions (read inbox, outbox, manage pages, manage ads, read private photos, videos,etc..) over the victim account .

"To make a successful attack, the victim need to use a Facebook application (Texas Holdem Poker, Diamond Dash, etc..). And these applications only have a basic permissions, We can always change the scope of the application permission and set a new permission but this method not powerfull, Because the victim need to accept the new permissions of the app" Researcher said in his blog.

But researcher discovered that there are built-in Applications(Facebook Messenger) in Facebook that users never need to accept , And this application have a full control on your account.

PoC:

https://www.facebook.com/connect/uiserver.php?app_id=220764691281998&next=https%3A%2F%2Ftouch.facebook.com%2F%23~!%2Fapps%2Ftestestestte%2F&display=page&fbconnect=1&method=permissions.request&response_type=token


Demo:







Nir Goldshlager found vulnerability in Facebook Employees Secure Files Transfer service

A Web Application PenTester , Nir Goldshlager, has identified a Security flaw in the Facebook's Employee Secure File Transfer that allowed him to reset the password of accounts.

The Secure File Transfer service provider "Acellion" provide service to Facebook's Employee for transferring files.  The Acellion had removed the registration page to prevent unauthorized users from creating accounts.

However, the Researcher discovered that the registration page could still be accessed by someone who know exact direct location of registration form.

After he created the account, he started to analyze the service for a security flaw. He successfully managed to find a critical vulnerability. There is a html file "wmPassupdate.html" which is used for a Password Recovery in Accellion Secure Files Transfer.

Facebook Security Flaw

He identified that there is referrer parameter used in the cookie that encoded with base64. By changing the values of this parameter, he could change the password of any account.

Facebook and Accellion fixed the issue after being notified by the Researcher.  The also claimed to have reported 20+ different bugs in Accellion Secure File Transfer Service. They fixed all of those bugs.

The POC for the vulnerability: