Ahamed Nafeez

My Photo
I'm excited about exploiting exotic bugs, especially the remote ones. I also like to defend them as well.

Twitter Follow

Tuesday, September 13, 2011

Stealing Facebook Graph API Access Token : Yet Another UI Redressing Vector

A week after my first Facebook Bounty , i found another place where Facebook did the same mistake of not busting IFrames.And guess what , its another whole domain developers.facebook.com.It includes all the documentation and examples for using the Facebook Graph API and other products like the Legacy REST API , FQL , Chat API . An attacker can do a whole lot of stuff with this once he Iframes this.

I decided to write on one of the attacks that is possible with this bug. As we all know, the documentation includes some real good examples for using the API with some nifty access tokens with the credentials of the currently logged in user. This special token in the documentation comes with some extra special rights like read_stream, user_status, user_birthday, user_relationships and much more rights which even your normal friends can't see. 

Stealing the Access Token :
Now the interesting part is to get the token sitting inside the source code. Its possible to steal this with many attack vectors and i decided to write a PoC using a Double Drag and Drop Technique which works on Firefox and IE . Google chrome can resist this attack , because it disallows X-Domain Drag & drop and also view-source can't be IFRAMED.

Double Drag & Drop:
Heres the PoC which uses view-source to IFRAME the source code of the page containing the access token. Its better to use a double view-source to make everything as a text and disable all links , which are click-able. The trick is to fool the user (any chicken is fine) , by making him play a game with a ball and a trash can. 
I'll now show some screenshots of what a real attack would look like . A video would have been better , but am just lazy sometimes. 




What Really happened ? Heres what happened behind the scenes !

First Drag, everything in the IFRAME gets Selected                          Second Drag , the mighty cross-domain drag




The user clicks go and the source of the page is sent to the attacker 




What can the attacker do ?
Here's a gist of what the attacker can get if I get owned by this attack ! 















Heres the PoC code for that works on Firefox . Download Code 

Response from Facebook Security:
I reported this bug to facebook on August 28th, 2011 and the fix was up the very next day.

Posted by Ahamed Nafeez at 9:31 PM
Labels: , ,
Subscribe to: Post Comments (Atom)