Evil App Steal Facebook Access Token
Facebook say about this users Responsible for this its not an issue for facebook so After 3 month i am disclose this may be now they make some change but its still work ....... so users not allow any app to access your data on facebook or dont login anywhere using Facebook may be this an Attacker and After steal your Facebook Access Token he Can Hack your facebook Account Easily....
[#] Title : Evil App Steal Facebook Access Token
[#] Status : Unfixed
[#] Severity : very High
[#] Works on : Any browser with any version
[#] Homepage : www.facebook.com
[#] Author : Jitendra Jaiswal
[#] Email : jeetjaiswal0@gmail.com
[#] Status : Unfixed
[#] Severity : very High
[#] Works on : Any browser with any version
[#] Homepage : www.facebook.com
[#] Author : Jitendra Jaiswal
[#] Email : jeetjaiswal0@gmail.com
This Vulnerability is exploitable to all users who are use facebook apps and allow access of apps
an attacker can modify all app setting in url
Impact of Vulnerability:
An attackers can store user access token with 2 month no Expires
also token not expire if user log out from facebook
1. an attacker can see inbox , update status , upload a pic and all hidden info of user profile
2. The user may be redirected to an untrusted page that contains
malware which may then compromise the user's machine.
note : An attcker can eassly create app and make problems to users stolen users access token
facebook didn't stop that bcz when app developrs send app for review then they know about that
an attacker can modify all app setting in url
Impact of Vulnerability:
An attackers can store user access token with 2 month no Expires
also token not expire if user log out from facebook
1. an attacker can see inbox , update status , upload a pic and all hidden info of user profile
2. The user may be redirected to an untrusted page that contains
malware which may then compromise the user's machine.
note : An attcker can eassly create app and make problems to users stolen users access token
facebook didn't stop that bcz when app developrs send app for review then they know about that
How it work....
say user to its a great app in facebook play and see
If any signed facebook user clicks above following link
they will be redirected into 0auth dailog pages.
if user new its show app want to access user info as like other app
but apps after that going to facebook app page https://apps.facebook.com/xyz
important part for store ( ** facebook use # for when token goes with site that not store in server function** )
but in my link its goes first to my site then goes to app page in that when its come to site its have token
with # as we know that # value never store in request_uri or query_string
i am use java script to change # into ? then its now store in txt file
say user to its a great app in facebook play and see
If any signed facebook user clicks above following link
they will be redirected into 0auth dailog pages.
if user new its show app want to access user info as like other app
but apps after that going to facebook app page https://apps.facebook.com/xyz
important part for store ( ** facebook use # for when token goes with site that not store in server function** )
but in my link its goes first to my site then goes to app page in that when its come to site its have token
with # as we know that # value never store in request_uri or query_string
i am use java script to change # into ? then its now store in txt file
with both server function request_uri or query_string
POC VIDEO :
Facebook Reply For This
Jitendra Jaiswal
Security Researcher/Ethical Hacker
Comments
Post a Comment