Facebook’s Parse OAuth2 Bug

Facebook’s Parse OAuth2 Bug

In this post i’m going to show how i was able to hack into Parse accounts via OAuth vulnerability.
You can sign in into Parse by inserting your email and password or signing in with your Facebook account.

 

Schermata del 2013-08-22 17_25_58

 

If we click on the “Log in with Facebook” button, a GET request is generated at this URL:

https://www.facebook.com/dialog/oauth?response_type=code&client_id=506576959379594&redirect_uri=https%3A%2F%2Fwww.parse.com%2Fauth%2Ffacebook%2Fcallback&state=3c580f78d588e40668b80dc9b1e310db576cc830e0d02d08&scope=email

1

 

The parameters that we have to consider are:

  • response_type
  • client_id 
  • redirect_uri 
  • scope 

So i started to create a forged URL that redirects the victim to a malicious site which saves the Parse token in a file.To do this,i started playing with the redirect_uri parameter to see if it allows access to subdomains or subfolders,and this was the result.



Allow request: 

  • xxx.parse.com                                   (Allow redirect to subdomains)
  • xxx.parse.com/xxx/                            (Allow redirect to subfolders)

2

3

 

I noticed that the redirect_uri allow access to subdomains and subfolders, so i looked for open redirect vulnerability in Parse’s domain and subdomains but i coulnd’t find anything.

I realized that Parse’s subdomains files.parse.com allows me to upload an html file, so i uploaded an html file which has some html code which redirects me to a malicious URL.The output URL to see the content of the page was:
http://files.parse.com/07c3d9cb-7a00-48c1-81d2-51d1f90bd8ad/68f9cc54-b661-4448-a4bb-0f413a1bcf8e-wow.html

Final POC (Facebook already fix this issue)

(Facebook Already fixed this issue):
https://www.facebook.com/dialog/oauth?response_type=token&client_id=506576959379594&redirect_uri=http://files.parse.com/07c3d9cb-7a00-48c1-81d2-51d1f90bd8ad/68f9cc54-b661-4448-a4bb-0f413a1bcf8e-wow.html&state=3c580f78d588e40668b80dc9b1e310db576cc830e0d02d08&scope=email

This URL will redirect the user to the site which has a script that takes the token and will save it in a file.
YouTube IconTwitter IconVisit Our Linkedin profile