[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] Facebook API v2.1 - RFC6749 Open Redirect Vulnerability

Document Title:
Facebook API v2.1 - RFC6749 Open Redirect Vulnerability

References (Source):

Vulnerability Magazine: https://www.vulnerability-db.com/?q=articles/2016/10/10/facebook-api-v21-hit-rfc6749-open-redirect-attack-vulnerability

Release Date:

Vulnerability Laboratory ID (VL-ID):

Common Vulnerability Scoring System:

Product & Service Introduction:
Facebook is a for-profit corporation and online social networking service based in Menlo Park, California, United States. The Facebook website was 
launched on February 4, 2004 by Mark Zuckerberg, along with fellow Harvard College students and roommates, Eduardo Saverin, Andrew McCollum, Dustin 
Moskovitz, and Chris Hughes. The founders had initially limited the website's membership to Harvard students; however, later they expanded it to 
higher education institutions in the Boston area, the Ivy League schools, and Stanford University. Facebook gradually added support for students 
at various other universities, and eventually to high school students as well. Since 2006, anyone age 13 and older has been allowed to become a 
registered user of Facebook, though variations exist in the minimum age requirement, depending on applicable local laws. The Facebook name comes 
from the face book directories often given to United States university students. After registering to use the site, users can create a user profile, 
add other users as `friends`, exchange messages, post status updates and photos, share videos, use various applications (apps), and receive 
notifications when others update their profiles. Additionally, users may join common-interest user groups organized by workplace, school, or other 
topics, and categorize their friends into lists such as `People From Work` or `Close Friends`. In groups, editors can pin posts to top. Additionally, 
users can complain about or block unpleasant people. Because of the large volume of data that users submit to the service, Facebook has come under 
scrutiny for their privacy policies. Facebook, Inc. held its initial public offering (IPO) in February 2012, and began selling stock to the public 
three months later, reaching an original peak market capitalization of $104 billion. On July 13, 2015, Facebook became the fastest company in the 
Standard & Poor's 500 Index to reach a market cap of $250 billion. Facebook has more than 1.65 billion monthly active users as of March 31, 2016.

(Copy of the Homepage: https://en.wikipedia.org/wiki/Facebook )

Abstract Advisory Information:
The vulnerability laboratory core research team discovered a RFC6749 Open Redirect Attack & Vulnerability in the Facebook API v2.1.

Vulnerability Disclosure Timeline:
2016-05-01: Researcher Notification & Coordination (SaifAllah benMassaoud)
2016-05-03: Vendor Notification (Facebook Whitehat Security Team)
2016-05-08: Vendor Response/Feedback (Facebook Whitehat Security Team)
2016-10-07: Vendor Fix/Patch (Facebook Developer Team)
2016-10-07: Security Acknowledgements (Facebook Whitehat Security Team)
2016-10-10: Public Disclosure (Vulnerability Laboratory)

Discovery Status:

Affected Product(s):
Product: API - Framework 2.1

Exploitation Technique:

Severity Level:

Technical Details & Description:
A vulnerability has been discovered in connection to the RFC6749 Open Redirector Attack in the Facebook  API v2.1.
The RFC6749 Open Redirect Attack vulnerability allows remote attacker to convince an user to click on a trusted link 
which is specially crafted to take them to an arbitrary website, the target website could be used to serve for exmaple 
a malicious malware attack.

The RFC6749 open redirect vulnerability is located in the `response_type`, `client_id` and `redirect_uri` parameters.
The request method to exploit the vulnerability is GET and the attack vector is located on the client-side of the 
framework web-application. The vulnerable code is located in the api v2.1 of the facebook framework. During the 
exploitation the victim Facebook account retrieves a malicious malware link site.

The security risk of the issue is estimated as medium with a cvss (common vulnerability scoring system) count of 3.2. 
Exploitation of the web vulnerability requires no privileged web-application user account and low user interaction.
Successful exploitation of the vulnerability results in session hijacking, non-persistent phishing attacks, 
non-persistent external redirect to malicious sources.

Request Method(s):
[+] GET

Vulnerable Module(s):
[+] /oauth/authorize

Vulnerable Parameter(s):
[+] response_type
[+] client_id
[+] redirect_uri

Proof of Concept (PoC):
When we specify an "invalid" scope then the authorize url redirects to the site mentioned in "redirect_uri". 
So, an attacker can create an app to use it as open redirector that to redirects victims to an internal fake sites.
Attackers are as well able to host phishing pages and to target facebook accounts.

Manual steps to reproduce the vulnerability ...
1. I am registering a new client 
2. I register redirect uri attacker.com
3. Now, visit the following url ...
PoC: oauth/authorize?response_type=code&client_id=1621835668046481&redirect_uri=http://www.attacker.com/&scope=WRONG_SCOPE
4. This will finall redirect to the attacker.com  source
5. Successful reproduce of the vulnerability!

Security Risk:
The security risk of the RFC6749 Open Redirector Attack Vulberability in the Facebook API v2.1 is estimated as medium. (CVSS 3.2)

Credits & Authors:
Vulnerability Laboratory [Research Team] - SaifAllah benMassaoud (http://www.vulnerability-lab.com/show.php?user=SaifAllahbenMassaoud ) ( facebook.com/WhiteHatSecuri )

Disclaimer & Information:
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed 
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable 
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab 
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for 
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, 
deface websites, hack into databases or trade with stolen data.

Domains:    www.vulnerability-lab.com 		- www.vuln-lab.com 						- www.evolution-sec.com
Section:    magazine.vulnerability-lab.com 	- vulnerability-lab.com/contact.php 				- evolution-sec.com/contact
Social:	    twitter.com/vuln_lab		- facebook.com/VulnerabilityLab 				- youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php 	- vulnerability-lab.com/rss/rss_upcoming.php 			- vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php 	- vulnerability-lab.com/list-of-bug-bounty-programs.php 	- vulnerability-lab.com/register.php

Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by 
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark 
of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get a ask permission.

				    Copyright © 2016 | Vulnerability Laboratory - [Evolution Security GmbH]™

SERVICE: www.vulnerability-lab.com

Sent through the Full Disclosure mailing list
Web Archives & RSS: http://seclists.org/fulldisclosure/