Add comment on a private Oculus Developer bug report

Hello guys, This time I would like to share with you how I was able to Add comments on private bug report on Oculus Developer support, so let’s get started. :)

What is Oculus

Oculus VR is an American technology company founded by Palmer Luckey, Brendan Iribe, Jack McCauley, Michael Antonov, Nate Mitchell in July 2012 in Irvine, California, and now it is owned by Facebook for more details see this link.

Story of Finding

I already tested oculus couple months ago but didn’t find any bug on it, then in 17 Sep. I decided to test it again, so While poking around Oculus Developer domain, I noticed an option called Report a Bug, where users can submit their bugs ( not security bugs) to oculus support team.

This is how the support Dashboard looks like, you can see other users public bugs.

When I saw this option I decided to test it, but before we do that let’s see how the option works, so let’s analyze it :)

Analyzing Phase

While analyzing this option I noticed below things:

  • Users can submit their bugs with two ways, public bugs and private bugs.
You can make your bug private by checking on “Keep Private option” as shown above

Testing Phase

I created public bug and added comment to my bug after that I replied to my comment and Intercepted the request with burpsuite to see what kind of parameters we have in this option, the request was like below:

POST /graphql?locale=user HTTP/1.1
Host: graph.oculus.com

access_token=My-Acces-Token&variables={“input”:{“client_mutation_id”:”1",”comment_parent_id”:”556190998150906",”external_post_id”:”548709645565708",”message”:”what ever”}}&blablabla

as you can see above, we have two interesting parameters:

1- ”comment_parent_id” ==> refers to my bug ID (you can find any public bug ID from the URL link as https://developer.oculus.com/bugs/bug/your-bug-ID/).

2- ”external_post_id” ===> refers to the ID of the comment (my comment) that I replied to it.

when I saw the above request two plans came to my mind :)

Plan A : I wanted to add comments on other users private bugs by replacing my bug ID with their bug ID, it didn’t works :(

Plan B: I wanted to add comments on other users private bugs by replacing external_post_id value to other users value which is their comment ID in their private bug, I created two test accounts in order to reproduce this and it works like a charm and I bypassed their protection because they were checking only on the bug ID not external_post_id (comment ID). I knew that plan B will work when I was in the plan A stage, don’t ask my how !!, I just felt it.

Attacker bypassed oculus protection and added comment on victim private bug.

Bug Limitation

There was only one limitation in this bug, the question is how attacker can get other users comments ID from their Private bugs since their bugs set as private and as I mentioned before no one can see private bugs except the owner of the bug and the support team!!! it is really a good question, yes it is hard to find that but not impossible, let’s say someone was able to disclose other users comments IDs or attacker can make a list for random comments IDs and can perform a random attack and will add his comment on random private bugs, who know? everything is possible :), also I can say fixing this kind of bugs is always the right thing to do.

I reported this bug directly to Facebook Security Team and accepted it as valid bug.

I would like to thanks Facebook Security Team for the Bounty.

Timeline:
Sep. 17, 2018 — Initial Report
Sep. 19, 2018 — Report Triaged
Oct. 05, 2018 — Bug Fixed
Oct. 05, 2018 — Fix Confirmed
Oct. 10, 2018– Bounty awarded

PoC Video:

Takeways:

1- Try to check your target from time to time as always.

2- Understand how the web app. work and what permissions you have.

3- Be creative :).

Thank you

Sarmad Hassan (JubaBaghdad)

InfoSec Write-ups

A collection of write-ups from the best hackers in the…

Sarmad Hassan (Juba Baghdad)

Written by

We work in the darkness, but serve the light

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Sarmad Hassan (Juba Baghdad)

Written by

We work in the darkness, but serve the light

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store