How To Hack Facebook Accounts With Oculus Integration
Security Researcher JOSIP FRANJKOVIC explains that How Cybercriminals can hack your Facebook account by Cross Site Request Forgery (CSRF) vulnerability attack. It enables them to connect a victim account to an attacker’s Oculus account. It could be used by attacker to extract the victim’s access token once connected and use Facebook’s GraphQL queries to take over the account.
The vulnerability reported to Facebook on 24 Oct and it was temporarily fixed by Facebook team. Complete fix was done on 30 Oct 2017. The fix was to check if the currently logged-in user on Oculus matches the username parameter from the SSO link, which means a login CSRF or response splitting or any other way to set victim’s cookies would defeat it.
A couple weeks later FRANJKOVIC found a login CSRF which could also be used to redirect the victim to an Oculus URL I chose – the perfect candidate to bypass the first fix.
After getting the /facebook_login_sso/ $LINK, the following request could be made using cURL to auth.oculus.com/nonce-redirect/
curl -v –cookie “oc_ac_at=..snip..” –referer “https://auth.oculus.com/” -d “require_token_for=752908224809889&redirect_uri=https://www.oculus.com/account_receivable/?redirect_uri=$LINK”
https://auth.oculus.com/nonce-redirect/
The response contained an /account_receivable/ link with a nonce, which logs the victim into the attacker’s Oculus account, and then redirects to the SSO link, skips the OAuth flow, and connects the account.
Timeline:
- 18th of November, 2017, 02:40 – Report sent to Facebook
- 18th of November, 2017, 05:10 – First reply from Facebook
- 18th of November, 2017, 10:00 – Temporary fix for the bug (disabled /facebook_login_sso/ endpoint once again)
- 11th of December, 2017 – Bug is now fixed.
This time, the fix was to implement a CSRF check on the /account_receivable/ endpoint, AND add an additional click to confirm the link between Facebook and Oculus accounts.
JOSIP FRANJKOVIĆ is an web security consultant, participating in various bug bounty programs. He is also one of Facebook’s top Whitehat reporters since 2013.