Document Title: =============== Facebook API v2.1 - RFC6749 Open Redirect Vulnerability References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=1972 Vulnerability Magazine: https://www.vulnerability-db.com/?q=articles/2016/10/10/facebook-api-v21-hit-rfc6749-open-redirect-attack-vulnerability Release Date: ============= 2016-10-10 Vulnerability Laboratory ID (VL-ID): ==================================== 1972 Common Vulnerability Scoring System: ==================================== 3.2 Product & Service Introduction: =============================== Facebook is a for-profit corporation and online social networking service based in Menlo Park, California, United States. The Facebook website was launched on February 4, 2004 by Mark Zuckerberg, along with fellow Harvard College students and roommates, Eduardo Saverin, Andrew McCollum, Dustin Moskovitz, and Chris Hughes. The founders had initially limited the website's membership to Harvard students; however, later they expanded it to higher education institutions in the Boston area, the Ivy League schools, and Stanford University. Facebook gradually added support for students at various other universities, and eventually to high school students as well. Since 2006, anyone age 13 and older has been allowed to become a registered user of Facebook, though variations exist in the minimum age requirement, depending on applicable local laws. The Facebook name comes from the face book directories often given to United States university students. After registering to use the site, users can create a user profile, add other users as `friends`, exchange messages, post status updates and photos, share videos, use various applications (apps), and receive notifications when others update their profiles. Additionally, users may join common-interest user groups organized by workplace, school, or other topics, and categorize their friends into lists such as `People From Work` or `Close Friends`. In groups, editors can pin posts to top. Additionally, users can complain about or block unpleasant people. Because of the large volume of data that users submit to the service, Facebook has come under scrutiny for their privacy policies. Facebook, Inc. held its initial public offering (IPO) in February 2012, and began selling stock to the public three months later, reaching an original peak market capitalization of $104 billion. On July 13, 2015, Facebook became the fastest company in the Standard & Poor's 500 Index to reach a market cap of $250 billion. Facebook has more than 1.65 billion monthly active users as of March 31, 2016. (Copy of the Homepage: https://en.wikipedia.org/wiki/Facebook ) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered a RFC6749 Open Redirect Attack & Vulnerability in the Facebook API v2.1. Vulnerability Disclosure Timeline: ================================== 2016-05-01: Researcher Notification & Coordination (SaifAllah benMassaoud) 2016-05-03: Vendor Notification (Facebook Whitehat Security Team) 2016-05-08: Vendor Response/Feedback (Facebook Whitehat Security Team) 2016-10-07: Vendor Fix/Patch (Facebook Developer Team) 2016-10-07: Security Acknowledgements (Facebook Whitehat Security Team) 2016-10-10: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Facebook Product: API - Framework 2.1 Exploitation Technique: ======================= Remote Severity Level: =============== Medium Technical Details & Description: ================================ A vulnerability has been discovered in connection to the RFC6749 Open Redirector Attack in the Facebook API v2.1. The RFC6749 Open Redirect Attack vulnerability allows remote attacker to convince an user to click on a trusted link which is specially crafted to take them to an arbitrary website, the target website could be used to serve for exmaple a malicious malware attack. The RFC6749 open redirect vulnerability is located in the `response_type`, `client_id` and `redirect_uri` parameters. The request method to exploit the vulnerability is GET and the attack vector is located on the client-side of the framework web-application. The vulnerable code is located in the api v2.1 of the facebook framework. During the exploitation the victim Facebook account retrieves a malicious malware link site. The security risk of the issue is estimated as medium with a cvss (common vulnerability scoring system) count of 3.2. Exploitation of the web vulnerability requires no privileged web-application user account and low user interaction. Successful exploitation of the vulnerability results in session hijacking, non-persistent phishing attacks, non-persistent external redirect to malicious sources. Request Method(s): [+] GET Vulnerable Module(s): [+] /oauth/authorize Vulnerable Parameter(s): [+] response_type [+] client_id [+] redirect_uri Proof of Concept (PoC): ======================= When we specify an "invalid" scope then the authorize url redirects to the site mentioned in "redirect_uri". So, an attacker can create an app to use it as open redirector that to redirects victims to an internal fake sites. Attackers are as well able to host phishing pages and to target facebook accounts. Manual steps to reproduce the vulnerability ... 1. I am registering a new client 2. I register redirect uri attacker.com 3. Now, visit the following url ... PoC: oauth/authorize?response_type=code&client_id=1621835668046481&redirect_uri=http://www.attacker.com/&scope=WRONG_SCOPE 4. This will finall redirect to the attacker.com source 5. Successful reproduce of the vulnerability! Security Risk: ============== The security risk of the RFC6749 Open Redirector Attack Vulberability in the Facebook API v2.1 is estimated as medium. (CVSS 3.2) Credits & Authors: ================== Vulnerability Laboratory [Research Team] - SaifAllah benMassaoud (http://www.vulnerability-lab.com/show.php?user=SaifAllahbenMassaoud ) ( facebook.com/WhiteHatSecuri ) Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Section: magazine.vulnerability-lab.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact Social: twitter.com/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get a ask permission. Copyright © 2016 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com