Just a few months ago Nir Goldshlager released a OAuth vulnerability on Facebook. A security researcher Amine Cherrai has also found similar vulnerability on facebook that allowed hackers to get the access_token and full permissions of any account on facebook.
"As you may know, few months Facebook has closed many bugs leading to security reinforcement of 'redirect_uri' parameter and prevent hijacking attacks. One of these reinforcement were rejecting all 'redirect_uri' that has '#' or '#!'." Researcher wrote in his blog.
"While I was looking in the Facebook Javascript SDK I found something strange, I found that it uses http://static.ak.facebook.com/connect/xd_arbiter.php?version=21#channel=f876ddf24&origin=http://localhost&channel_path=/oauth/PoC_js/?fb_xd_fragment#xd_sig=f3adf0e04c&” as aredirect_uri and it’s not rejected… So I said let’s use it too!!!" - See more at: http://www.ehackingnews.com/2013/04/another-oauth-vulnerability-allowed-to_13.html#sthash.6XZkC8m8.dpuf
Amine succesfully generated a poc that redirects to another facebook page with the acceaa token. But he face some problem , while redirecting to externel website
Nir Goldshlager helped Amine by suggesting to redirect to an application in facebook then the application redirects to an external website instead of redirecting directly to an external website. After following the instructions from Nir Goldshlager, he successfully manged to generate a final redirect_uri.
see the video demo how the attack will working out :
http://www.youtube.com/watch?v=q0i1dMA4X1U
Amine successfully generated a poc that redirects to another facebook page with the access token. But he faced some problem while redirecting to external website - See more at: http://www.ehackingnews.com/2013/04/another-oauth-vulnerability-allowed-to_13.html#sthash.6XZkC8m8.dpu
