BugBountyNotes Forum » Bug Help » Browsing Topic

Facebook oauth callback link leaked to third party
Posted in Bug Help by @plenum




plenum

Researcher

Hello, The flow is as follows 1- click login with facebook 2- redirect to facebook 3-facebook response with http://accounts.redacted.net/?oauthcallback=TOKEN 4-login successful

In step 3 the site is leaking the oauth redirect link through referrer to Google, I have tried to copy paste the link in private window but the login fails Would you report this as security issue. I have read about oath workflow but I don't really understand how the login is protected


Posted on 2018-11-01



zseano

Administrator Researcher

Is it a Facebook Oauth token you can grab? Try it on https://developers.facebook.com/tools/explorer/ and if you can successful query that tokens details, then yes it's a valid bug and should be reported (to Facebook also since they want to know about access token leaks).

For the bugbounty program, try see where the token is used for logging in. If they have a mobile app it's usually just one request which takes the token > sets user session.


Posted on 2018-11-03 at 11:45:44am (GMT)




plenum

Researcher

Thanks for the tip, further inspection the app seems to be validating facebook response based on cookies and csrf token. Any attempt to manipulate the request the login fails except one case find an xss on login page


Posted on 2018-11-04 at 02:13:00am (GMT)




zseano

Administrator Researcher

Ah damn :( Atleast you worked out what was happening and now in future you can easily spot things like this. :)

Side note: I should really create forum notifications for when replies are made to your topic shouldn't I... :p


Posted on 2018-11-06 at 11:00:01am (GMT)




plenum

Researcher

Indeed it would be a great add notifications, i would like to suggest another feature to show latest discussions on the home page maybe a carousel or something.


Posted on 2018-11-06 at 04:11:28pm (GMT)