Hello folks,
hope you are doing well, I am Ankit a.k.a Rudra16 a security enthusiastic and Bachelor of Technology Student from india. This is my first blog and it’s about a common misconfiguration present in many mobile apps and website which are using facebook login functionality that can be lead to account takeover. This blog is based on these two hackerone reports and want to thanks both researchers -
https://hackerone.com/reports/101977
https://hackerone.com/reports/314808
Facebook login -
According to facebook developers documentation -”Facebook login is a secure, fast, and convenient way for users to log into your app, and for your app to ask for permissions to access data” Basically it’s a functionality which you can use to request user data from facebook like email, name, profile picture etc. for your website. Whenever you see the login with facebook option in any website or mobile apps it is using facebook login function. you can read more about this here-https://developers.facebook.com/docs/facebook-login/overview
Login Flow -
Facebook login can be implemented via two ways- By Manually Building a Login Flow “ if you need to implement browser-based login for a web or desktop app without using our SDKs, such as in a webview for a native desktop app (for example Windows 8), or a login flow using entirely server-side code, you can build a Login flow for yourself by using browser redirects” more you can learn here !![link][https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow/ or you can use default login flow -
Flaw-
So the issue is present in step 5 where the facebook app send a access token to target app basically if the app is misconfigured the target app doesn’t verify if the access token is generated by target’s facebook app or any other facebook app. So Attacker replace the access token generated for his app(for victim) to access token generated for targeted app (for attacker) in step 5 and login as victim.
Step To Reproduce-
- Create a facebook app by going https://developers.facebook.com/apps/
- Now generate access token for the same account which you used to signup by going to https://developers.facebook.com/tools/explorer/ .
- Create a account target app using signup with facebook feature and logout from the session
- Now go to target app and click on the facebook sign in button.(Make sure you are intercepting traffic using proxy tool such as — burp suite.)
- Now change the value of auth_token parameter to the access token generated in step no. 1
- Forward the request and you will be login since there is no validation weather the access token generated for target app or other app.
Impact-
An attacker can login any user account who authorized his app and by generating access token for his app token can takeover account
Mitigation-
We can prevent this issue by sending another parameter which contain app id and validating it on server side you can read more about it here-
[link]https://developers.facebook.com/docs/facebook-login/security
That’s all from my side hope you have enjoyed it and sorry i couldn’t include memes here but will try to include in next post 😅. If you have any question hit me up here [link]https://twitter.com/rudra16t
Thanks Rajesh Ranjan for proof reading.
Feedbacks are always welcome and as always thanks for reading ❤️
Best Regards,
Rudra16
