Hey all 🙂
So today I decided to write a new post from one of my recent simple interesting find with a much higher impact, and this is more like a case study than a technical one.
so there is an application which has 2 ways to access your account which are as follows:
- Using email + password
- Using social account
using both ways a user can access their account as users have explicit option to add social account like Facebook, Google in his account and once user added it, they can use any of way to access the account, and after realizing that I thought what if i get way to add my social account to the victim? that will be easier to way to get victim account access directly.
i checked both endpoints for the login flow of the social login (Facebook) option and it was same.
For Facebook login oauth flaw they were not using “state” parameter which used to protect against CSRF attack, so even while adding social account from applications users setting same flawed oauth implementation is used.
It’s very clear now that attacker just needs to make CSRF poc with his unused Facebook token generated by target application to send the victim, after successful CSRF request attackers social account will get added into victims account and attacker can login into victim account with all privileges using his own(attacker) social account.
isn’t it was simple one with much impact and turned out the highest payout for that program.
So sometimes simple login CSRF can be used to exploit in different ways with different functionality in the application, so it’s always good to be protected from everything.
Hey nice article.what tools do you use for your web pentesting?
Thanks, most of time i do use burp suite.
Nice write-up. Thanks for the sharing.
Leetness Overloaded 😉
great! a more detailed write up will be awesome, however is good write! congrats!
Yeahhhh!
You are great ak
Nice Write-up,
Since They were not using “State Parameter” .
Attacker can also send his Facebook Access Token to Authenticated Victim to link attacker Facebook Account .
?
No, maybe you can send disconnect link before sending to oauth connect!
Nice Writeup. @ak1T4 for real scenario refer this.. https://hackerone.com/reports/127703
I found one like that now how to exploit ,
Any detailed exploiation writeups
Thanks in advance
Did not understand how it will work .
I did not get how if the state parameter was not checked properly how can it lead to a CSRF.
Plz add requests and responses for the same!
Thanx in advance ,Luv ur Writeups !
Read about Facebook OAuth flow, where “state” param used to prevent CSRF.