FB OAuth Misconfiguration Leads to Takeover any Account

Abdelrhman Allam (sl4x0)
3 min readApr 4, 2024

--

بِسْمِ اللَّهِ الرَّحْمَـٰنِ الرَّحِيمِ

Greetings, world! In my recent Pentest Engagement at BugSwagger, I stumbled upon a weird bug while registering to kickstart testing the target with my team. Some time ago, @Jayesh25_ tweeted about a bug that exploited websites supporting “Login with Facebook.” Since then, I’ve included this in my checklist, yet unfortunately, I hadn’t found any vulnerable websites until this discovery that I’m excited to share with you. Trust me, this bug is truly impactful as you will know through this writeup.

Kick Start

The target in question is REDACTED.com, a platform focused on offering courses, books, and related services. During the registration process, users are presented with two options: they can either sign up using their email and password or opt for OAuth authentication via Google or Facebook.

Despite my past experiences, where testing the Facebook bug on various targets yielded little success, I remain determined. Let’s dive in and begin the assessment!

First Impression

Let’s start by clicking ‘Login with Facebook’ and see what will happen:

The methodology goes as we know by those steps:

  • Log in with Facebook on any app.
  • Click “Edit Access.”
  • Uncheck the email address checkbox.
  • Click Continue.

But when I applied this, I found that the website redirected me to an account that holds the email address as the word undefined:

The reason for this uncommon scenario is that after the user confirms logging in with Facebook, the website returns the email parameter value as ‘undefined’ Consequently, when the website queries the email address, it interprets it as this word and grants access to the corresponding account.

Now, you might wonder, where does the Account Takeover come into play? Despite attempting this bug with different Facebook accounts, the outcome remains consistent. Each time, the website redirects me to the victim’s account without any discernible reason.

Rising the Impact

Let’s take a step back and check every single request that goes to the website from clicking ‘confirm’ to the account access.

the below request my friend, @ashabdelrazik discovered the below request:

POST /api/v2/auth/loginsignup/fb/go/st1 HTTP/2
Host: sub.redacted.com
Cookie:TOKEN
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 320
Origin: https://sub.redacted.com
Referer: https://sub.redacted.com/signup
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers

from=fb&id=342605898746434&name=Ashraf&email=undefined&idToken=TOKEN

He simply changed the email parameter value from undefined to any email address registered on this website, for example, my email, and the surprise is that he got into my account with zero interaction from my end.

Now we can takeover any account in the whole website without any Interaction.

Thank you for reading and have a good one!

--

--

Abdelrhman Allam (sl4x0)
Abdelrhman Allam (sl4x0)

Written by Abdelrhman Allam (sl4x0)

Security Researcher @Bugcrowd | Twitter: @sl4x0

Responses (3)