Breaking News

CSRF Email Confirmation Vulnerability for Gmail & G-Suite in Facebook

February 05, 2020 , ,
This post is about an bug that i found on Facebook which used to verify any new Gmail and G-Suite account with minimal Victim’s interaction.



When a user create a new Facebook account with Gmail they can confirm the account with two methods.
  1. Confirming by entering 5 digit confirmation code
  2. confirming by OAuth login.



Method 1 is hard to bypass. because there is a rate limit for confirmation code. even though we try to brute force Facebook will block your account with Checkpoint block due to suspicious activity.
So i tried with method 2 . while testing i found a bug in OAuth login Flow.that the CSRF token validation was missing.
https://accounts.google.com/o/oauth2/auth?client_id=15057814354-80cg059cn49j6kmhhkjam4b00on1gb2n.apps.googleusercontent.com&state=ARf8Zzq50032sck96TSFssFhWVvMUWO7KEJlq3n3_7Yp73WcWvlpyFn1dpdoUGv5QOLAn2ffrRZ_L_3ZfAncV_I0Ihog80LabpToEfHUIgfzBK720-pGRNbXGeYkETOwjeCfbsl70shdjuLnp3jC4dIsn-xPTwoggineLFh34F61bbYGsg&response_type=code&redirect_uri=https%3A%2F%2Fwww.facebook.com%2Foauth2%2Fredirect%2F&scope=openid+email&login_hint=victim_email@gmail.com
The state parameter is a CSRF token. which will validate the request and response.
Example:
If a state parameter is generated in Firefox browser . then it should work only on same browser where it generated.
but in this endpoint proper validation was missing. and the same CSRF token can be used in any browser . so the Attacker can easily embedded the URL in web page and once victim click the link the victim email will be confirmed in attackers account.
but there is one problem . before clicking the link the attackers account should be logged into victims browser. in Facebook there are some one-tap login URLs.
i used this link. once the malicious page loaded . the link will get loaded in IFrame. and attacker account will get logged into victim browser.
https://www.facebook.com/recover/password/?u=<UID>&n=<6Digit code>&ars=one_click_login&fl=one_click_login&spc=1&ocl=1&sih=0
Once the OAuth popup loaded the victim email will get confirmed. and once the popup closed the attacker account will get logged out using the below logout emdpoint.
https://m.facebook.com/logout.php?h=17AfealsadvYomDS
So by combining all this process with one web page. the attacker account will logged into victim browser and after confirmation the account will get logged out.

No comments

Please do not enter any spam link in comment box.

Subscribe to: Post Comments ( Atom )