Hi mates, I’m Mahmoud — aka brbr0s. I’m a bug hunter who’s always trying to learn more and get better at what I do. I’m mainly focused on red teaming fields and hope to go deeper in this track specifically in the future. In this blog, I’ll be sharing some of the bugs I find and the things I learn along the way.
First of all, we attribute all grace to Allah; without Him, we would not have been guided, nor given charity, nor prayed. Let’s get started
I will demonstrate how I got my first bounty on Bugcrowd, which related to Broken OAuth Linking Function
Our target has purchase and shipping processes.
After getting hit with a duplicate from the same target with no other findings, I came out that this target’s bugs have been completely disproved.
But the last thing that caught my eyes is “Connect to Facebook”, a new thing that I never tested before, but let’s try.
With this function the target links your account with provided Facebook account, to let you logging in directly without needing for email:password
After hitting the button with the burp in background, I noticed the connecting request’s body has these json flags:
{ "facebookId": "122109215XXXXXXXXX", "shortTermAccessToken": "access_token" }This approach is related to OAuth mechanism, In short it’s a way to link your Facebook profile with your account on another app, the app asks Facebook for your unique facebookId and a special and temporary shortTermAccessToken. These act as a key:token pair, confirming it’s really you, allowing the app to connect with your Facebook profile.
This facebookId is publicly accessible and commonly exposed across various Facebook integrated platforms, making it relatively easy to obtain.
Suspecting the token handling may have been configured incorrectly, I sent the request again with set the shortTermAccessToken value as “dummy”:
{ "facebookId": "122109215XXXXXXXXX", "shortTermAccessToken": "dummy" }After forwarding it, the server responded with a 200 OK, awesomeee, it accepted the random value!!!
The critical flaw here is that the application doesn’t validate the shortTermAccessToken against the provided facebookId at all. Think of it like you can log into a website using only the victim’s email address, without needing a password.
This means I can link any victim’s Facebook account using his facebookId —which already in the wild— to my own account, when he try to login using “Log in with Facebook” he will be logged into my controlled account.
So I hurry up and create a new account then linked it with his Facebook account as any normal user will do.
Back to the attacker account, and send connection request again with burp interception, then change facebookId to the victim one, with “dummy” token
{ "facebookId": "122107214XXXXXXXXX", "shortTermAccessToken": "dummy" }Annnd!!
200 OK
The incredible thing is that, even if the Facebook account is already linked to another user account, after this action the site will unlink the victim Facebook account from his account and link it to mine.
I tried to do the same approach with “Login with Facebook”, but unfortunately the developer was awake here, and it rejected the dummy token within it.
But very satisfying so far
Steps To Reproduce
- Attacker creates a normal account with email/password.
- Attacker intercepts the Facebook linking request.
- Replaces the facebookId with a known victim’s ID (which is already in public).
- Sends the request with dummy token-word.
- Facebook ID is unlinked from the victim’s original account and bound to the attacker’s.
- Victim logs in normally via Facebook -> gets routed into attacker’s account.
Impact
When the victim logs in using Facebook OAuth as normal, they are logged into the attacker’s account, because that Facebook ID is now associated with it
- The attacker can pre-fill their account with: Their own shipping address
- Any actions performed by the victim (such as placing an order or adding bank info) are saved to the attacker’s account, not their own.
This results in:
- Shipping fraud (goods shipped to attacker)
- Data theft (victim’s data added into attacker account) [Bank Account Info]
Tips Don’t assume that any site is completely secure, here this was the last function I gave it a try.
Let’s connect on X
