Wednesday, 27 July 2016

Hack Facebook By Obtaining Facebook Access tokens In Device Login

To make logging into applications and services easily, Facebook introduced Facebook Login for devices. Mainly focused on Internet of Things devices, people could use it for logging into Smart TVs, digital photo frames etc.
 While using this feature, your IoT device shows a password that you need to enter on a web page that you open on your PC or smartphone. This could be used to grant permission to new apps and services.

Josip Franjkovic, a renowned Facebook white hat hacker who is one of the Facebook’s top 10 bug reporters since 2013, has found a vulnerability in Facebook’s device login feature.

Hacking Facebook by exploiting device login flow:
To get permission, the new application requests Facebook Graph API to retrieve a hash code and user_code. Then the app tells the user to go to facebook.com/device and enter the user_code provided by Graph API.

The next step involves verification of the application via OAuth flow. Here, the user_code entered by the user is connected to the app code.

Here’s how it looks like:
https://www.facebook.com/v2.5/dialog/oauth?redirect_uri=https%3A%2F%2Fm.facebook.com%2Fdevice.php%3FuserCode%3D{$user_code}&client_id=1234
Now the application can request the Graph API to get the user access_token.
graph.facebook.com/oauth/device?type=device_token&client_id=1&code=hash_code
Franjkovic found a flaw in the step where user_code is connected to the application_code. This step is performed without any CSRF protection.
https://m.facebook.com/device.php?userCode=$userCode&code=$appCode
So, to exploit this vulnerability, Franjkovic built his own proof of concept. In his exploit, an attacker requests the user_code as told in the first step and presents a page to the victim using the same. It’s possible due to the lack of any CSRF protection.

Let’s suppose an attacker is able to get a user_code abcd and hash code 1234, he/she can easily fork a page with URL:
https://www.facebook.com/v2.5/dialog/oauth?redirect_uri=https%3A%2F%2Fm.facebook.com%2Fdevice.php%3FuserCode%3Dabcd&client_id=1234
Similarly, the next step involves a successful redirection to something like this:
https://m.facebook.com/device.php?userCode=abcd&code=aZx…
Now the attacker can get the access_token of the user by requesting:
graph.facebook.com/oauth/device?type=device_token&client_id=1&code=4567
To carry out this exploit, an attacker needs to know that a user has approved some app for Login for Devices. Every device that has Login for Devices enabled and Web OAuth Login disabled, automatically gets m.facebook.com/device.php as a valid redirect.
With further tweaks, a pre-approved application can be exploited to hack a Facebook account.
Franjkovic reported this vulnerability and Facebook has now fixed this bug, awarding him a bug bounty of $5,000.

After the fix, Facebook shows a re-confirmation pop-up each time you use device login. Facebook has further added the missing CSRF protection.

0 comments:

Post a Comment