Facebook API v2.1 hit by RFC6749 Open Redirect Attack Vulnerability

Editorial_Staff_Team's picture

Facebook API v2.1 hit by RFC6749 Open Redirect Attack Vulnerability

The vulnerability laboratory core team researcher "SaifAllah benMassaoud" discovered a zero-day RFC6749 Open Redirector Attack in Facebook API v2.1. The RFC6749 Open Redirector Attack vulnerability allows remote attacker to prepare manipulated client-side application to browser requests which is specially crafted to take them to an arbitrary website, the target website could be used to serve a malware attack.

The RFC6749 Zero Day Open Redirector Attack vulnerability is located in the 'response_type' 'client_id' 'redirect_uri'  parameters GET method request.  During the exploitation the victim Facebook account retrieves the malware link site. The security risk of the RFC6749 Zero Day Open Redirector Attack vulnerability is estimated as medium.  Exploitation of the vulnerability requires a medium privileged web-application user account . Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent external redirects to malicious 

Vulnerable Module(s):
[+] /oauth/authorize
 
Vulnerable Parameter(s):
[+] response_type
[+] client_id
[+] redirect_uri
 
Affected Product(s) & Version(s):
Facebook API - Framework
 
Affected Version(s):
v2.1

Proof of Concept (PoC)

When we specify an "invalid" scope then the authorized url redirects to the site mentioned in "redirect_uri". So, an attacker can create an app to use it as open redirector that to redirects victims to an internal fake sites. Attackers are as well able to host phishing pages and to target facebook accounts.

Manual steps to reproduce the vulnerability ...
1. I am registering a new client
2. I register redirect uri attacker.com
3. Now, visit the following url ...
PoC: oauth/authorize?response_type=code&client_id=1621835668046481& amp;redirect_uri=http://www.attacker.com/&scope=WRONG_SCOPE
4. This will finall redirect to the attacker.com  source
5. Successful reproduce of the security vulnerability in the facebook api and framework!

The core team security researcher  "Saif Allah ben Massoudi " has been rewared with 1000$ (USD) for the zero-day security vulnerability in the facebook api. Facebook resolved the issue in the last days and provided a secure update to prevent exploitation of the vulnerability.

Advisory: https://www.vulnerability-lab.com/get_content.php?id=1972

 

Rate this article: 
Average: 5 (6 votes)

Add new comment

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.