Facebook oauth callback link leaked to third party
Posted in Bug Help by @plenum
Hello, The flow is as follows 1- click login with facebook 2- redirect to facebook 3-facebook response with http://accounts.redacted.net/?oauthcallback=TOKEN 4-login successful
In step 3 the site is leaking the oauth redirect link through referrer to Google, I have tried to copy paste the link in private window but the login fails Would you report this as security issue. I have read about oath workflow but I don't really understand how the login is protected
Is it a Facebook Oauth token you can grab? Try it on https://developers.facebook.com/tools/explorer/ and if you can successful query that tokens details, then yes it's a valid bug and should be reported (to Facebook also since they want to know about access token leaks).
For the bugbounty program, try see where the token is used for logging in. If they have a mobile app it's usually just one request which takes the token > sets user session.
Thanks for the tip, further inspection the app seems to be validating facebook response based on cookies and csrf token. Any attempt to manipulate the request the login fails except one case find an xss on login page
Ah damn :( Atleast you worked out what was happening and now in future you can easily spot things like this. :)
Side note: I should really create forum notifications for when replies are made to your topic shouldn't I... :p
Indeed it would be a great add notifications, i would like to suggest another feature to show latest discussions on the home page maybe a carousel or something.