Disclaimer: This story is just to give you an idea how misconfigured social login can be exploited.
Hello cruel world,
This is a story of an innocent girl Derpina Victims, whose BookMyShow account got hacked because she just wanted to know “when will she die” from a viral stupid Facebook app.
Derpina got to know about this “cool” Facebook app that tells when will she die. All her friends were posting their results so she tried it as well. Little did she know that creator of the app is an evil person who collects access tokens of innocent people and use those tokens to log into BMS.
So how on the earth did BMS allow evil man to log into Derpina’s account?
Because technically BMS just checked if token is a valid FB token and Derpina’s email is in the database or not. BMS didn’t check who issued that access token.
More technical details are well explained by Bhavuk Jain (@bhavukjain1) on his blog.
Account Takeover Due to Misconfigured Login with Facebook/Google
The mobile applications that uses Login with Facebook or Login with Google, I've found more than 70% of them suffers a…
My finding started with an email from BookMyShow claiming that user’s accounts were compromised because of data leaks of other platforms.
Whether their claim is true or not, I thought to myself we are not living in 2005. There must be something more to this. So I got my tools ready and tried SQL Injection first on login endpoint. Nothing happened. Then I tried Login with Facebook. I noticed that BMS was using
access_token for login. So I got access token created by my own app with
Not only Login with Facebook was vulnerable. Just like Facebook, Login with Google was also misconfigured and didn’t check creater of
13 Jun 2019 at 1:06 AM — Security update email from BookMyShow
13 Jun 2019 at 1:35 AM — Found the vulnerability
13 Jun 2019 at 4:23 AM — Reported with mitigation suggestions
26 Jun 2019 at 9:43 PM — Received email saying the bug has been fixed
28 Jun 2019 at 3:43 PM — Bounty **cough cough** rewarded
Totally unrelated: I am selling ₹2000 worth of BookMyShow GV. If interested, DM me on twitter: @madguyyy