Facebook API v2.1 - RFC6749 Open Redirect Vulnerability

Document Title:
===============
Facebook API v2.1 - RFC6749 Open Redirect Vulnerability


References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=1972

Vulnerability Magazine: https://www.vulnerability-db.com/?q=articles/2016/10/10/facebook-api-v21-hit-rfc6749-open-redirect-attack-vulnerability


Release Date:
=============
2016-10-10


Vulnerability Laboratory ID (VL-ID):
====================================
1972


Common Vulnerability Scoring System:
====================================
3.2


Product & Service Introduction:
===============================
Facebook is a for-profit corporation and online social networking service based in Menlo Park, California, United States. The Facebook website was
launched on February 4, 2004 by Mark Zuckerberg, along with fellow Harvard College students and roommates, Eduardo Saverin, Andrew McCollum, Dustin
Moskovitz, and Chris Hughes. The founders had initially limited the website's membership to Harvard students; however, later they expanded it to
higher education institutions in the Boston area, the Ivy League schools, and Stanford University. Facebook gradually added support for students
at various other universities, and eventually to high school students as well. Since 2006, anyone age 13 and older has been allowed to become a
registered user of Facebook, though variations exist in the minimum age requirement, depending on applicable local laws. The Facebook name comes
from the face book directories often given to United States university students. After registering to use the site, users can create a user profile,
add other users as `friends`, exchange messages, post status updates and photos, share videos, use various applications (apps), and receive
notifications when others update their profiles. Additionally, users may join common-interest user groups organized by workplace, school, or other
topics, and categorize their friends into lists such as `People From Work` or `Close Friends`. In groups, editors can pin posts to top. Additionally,
users can complain about or block unpleasant people. Because of the large volume of data that users submit to the service, Facebook has come under
scrutiny for their privacy policies. Facebook, Inc. held its initial public offering (IPO) in February 2012, and began selling stock to the public
three months later, reaching an original peak market capitalization of $104 billion. On July 13, 2015, Facebook became the fastest company in the
Standard & Poor's 500 Index to reach a market cap of $250 billion. Facebook has more than 1.65 billion monthly active users as of March 31, 2016.

(Copy of the Homepage: https://en.wikipedia.org/wiki/Facebook )



Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a RFC6749 Open Redirect Attack & Vulnerability in the Facebook API v2.1.


Vulnerability Disclosure Timeline:
==================================
2016-05-01: Researcher Notification & Coordination (SaifAllah benMassaoud)
2016-05-03: Vendor Notification (Facebook Whitehat Security Team)
2016-05-08: Vendor Response/Feedback (Facebook Whitehat Security Team)
2016-10-07: Vendor Fix/Patch (Facebook Developer Team)
2016-10-07: Security Acknowledgements (Facebook Whitehat Security Team)
2016-10-10: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
Facebook
Product: API - Framework 2.1


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium


Technical Details & Description:
================================
A vulnerability has been discovered in connection to the RFC6749 Open Redirector Attack in the Facebook  API v2.1.
The RFC6749 Open Redirect Attack vulnerability allows remote attacker to convince an user to click on a trusted link
which is specially crafted to take them to an arbitrary website, the target website could be used to serve for exmaple
a malicious malware attack.

The RFC6749 open redirect vulnerability is located in the `response_type`, `client_id` and `redirect_uri` parameters.
The request method to exploit the vulnerability is GET and the attack vector is located on the client-side of the
framework web-application. The vulnerable code is located in the api v2.1 of the facebook framework. During the
exploitation the victim Facebook account retrieves a malicious malware link site.

The security risk of the issue is estimated as medium with a cvss (common vulnerability scoring system) count of 3.2.
Exploitation of the web vulnerability requires no privileged web-application user account and low user interaction.
Successful exploitation of the vulnerability results in session hijacking, non-persistent phishing attacks,
non-persistent external redirect to malicious sources.

Request Method(s):
[+] GET

Vulnerable Module(s):
[+] /oauth/authorize

Vulnerable Parameter(s):
[+] response_type
[+] client_id
[+] redirect_uri


Proof of Concept (PoC):
=======================
When we specify an "invalid" scope then the authorize url redirects to the site mentioned in "redirect_uri".
So, an attacker can create an app to use it as open redirector that to redirects victims to an internal fake sites.
Attackers are as well able to host phishing pages and to target facebook accounts.

Manual steps to reproduce the vulnerability ...
1. I am registering a new client
2. I register redirect uri attacker.com
3. Now, visit the following url ...
PoC: oauth/authorize?response_type=code&client_id=1621835668046481&redirect_uri=http://www.attacker.com/&scope=WRONG_SCOPE
4. This will finall redirect to the attacker.com  source
5. Successful reproduce of the vulnerability!


Security Risk:
==============
The security risk of the RFC6749 Open Redirector Attack Vulberability in the Facebook API v2.1 is estimated as medium. (CVSS 3.2)


Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - SaifAllah benMassaoud (http://www.vulnerability-lab.com/show.php?user=SaifAllahbenMassaoud ) ( facebook.com/WhiteHatSecuri )


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies,
deface websites, hack into databases or trade with stolen data.

Domains:    www.vulnerability-lab.com           - www.vuln-lab.com                                              - www.evolution-sec.com
Section:    magazine.vulnerability-lab.com      - vulnerability-lab.com/contact.php                             - evolution-sec.com/contact
Social:     twitter.com/vuln_lab                - facebook.com/VulnerabilityLab                                 - youtube.com/user/vulnerability0lab
Feeds:      vulnerability-lab.com/rss/rss.php   - vulnerability-lab.com/rss/rss_upcoming.php                    - vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php    - vulnerability-lab.com/list-of-bug-bounty-programs.php         - vulnerability-lab.com/register.php

Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark
of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get a ask permission.

                                    Copyright  2016 | Vulnerability Laboratory - [Evolution Security GmbH]

Copyright ©2024 Exploitalert.