Shulou(Shulou.com)05/31 Report--

This article introduces how to analyze the CSRF loopholes in Facebook's Gmail authentication mechanism, the content is very detailed, interested friends can refer to, hope to be helpful to you.

What is shared below is a Facebook CSRF vulnerability that uses a Gmail or G-Suite account to verify the CSRF token verification mechanism that exists when a newly created Facebook account is created. This vulnerability can be exploited by an attacker to verify his registered Facebook account with the victim's mailbox with minimal user interaction when verifying the newly created Facebook account, thus implementing an indirect CSRF attack. In the end, the vulnerability was awarded an official $3000 reward from Facebook.

Insufficient verification of CSRF token by OAuth login mechanism

When a user creates a new Facebook account with a Gmail or G-Suite account, there are two authentication mechanisms:

Receive a 5-digit CAPTCHA from Gmail and enter it in the Facebook web page to confirm

Perform OAuth authorization jump login from a third party of Gmail or G-Suite account

It is estimated that it will be difficult to bypass the first method, and the Checkpoint security devices deployed at the Facebook back-end and strong rate restrictions will impolitely block any violent cracking and suspicious behavior. So, let's take a look at the second method, and after some testing, I found a CSRF vulnerability because of the lack of the necessary CSRF token authentication mechanism during the OAuth authorization jump login process. The OAuth Login link is as follows:

Https://accounts.google.com/o/oauth3/auth?client_id=15057814354-80cg059cn49j6kmhhkjam4b00on1gb2n.apps.googleusercontent.com&state=ARf8Zzq50032sck96TSFssFhWVvMUWO7KEJlq3n3_7Yp73WcWvlpyFn1dpdoUGv5QOLAn2ffrRZ_L_3ZfAncV_I0Ihog80LabpToEfHUIgfzBK720-pGRNbXGeYkETOwjeCfbsl70shdjuLnp3jC4dIsn-xPTwoggineLFh44F61bbYGsg&response_type=code&redirect_uri=https%3A%2F%2Fwww.facebook.com%2Foauth3%2Fredirect%2F&scope=openid+email&login_hint=victim_email@gmail.com

Note that the state parameter is a CSRF token that is used to authenticate authenticated users in some cross-site request responses to prevent deliberate CSRF attacks by attackers.

In general, if the state parameter is generated by the client's Firefox browser during the above OAuth Login process, then the parameter token is only validated in that Firefox browser. The problem here, however, is that the OAuth Login mechanism lacks the necessary validation measures, that is, the state parameter (CSRF token) here can be used to implement valid validation in any other client browser. Therefore, for the attacker, the above URL links can be simply embedded into a web page. As long as the victim clicks on the web page, the attacker can complete the authentication of the Facebook account under the identity of the victim (such as registering mailbox victim_email@gmail.com) and realize indirect CSRF attacks.

However, there is another problem here, that is, before the victim clicks on the page constructed by the attacker, the attacker's Facebook account needs to log in to the victim's browser, which happens to be done with Facebook's one-click login (Log In With One Click). Embed the one-click login link of the following Facebook into the IFrame of the malicious web page, and when the victim clicks on the page, the attacker's Facebook account can complete login loading in the victim's browser.

Https://www.facebook.com/recover/password/?u=100008421723582&n=232323&ars=one_click_login&fl=one_click_login&spc=1&ocl=1&sih=0

Later, when the OAuth Login button is clicked by the victim, the victim's email is used by the attacker to confirm that he has logged in to Facebook, and then use the following link to log out of the attacker's Facebook account:

Https://m.facebook.com/logout.php?h=17AfealsadvYomDS

By combining the above methods to construct a malicious page, the attacker can use the victim's mailbox (such as Gmail in the following video) to complete the verification of the newly created Facebook account.

Overall, the harm of this vulnerability is indeed limited because of the lack of effective verification of CSRF token in the third-party OAuth Login process of Facebook, which allows attackers to take advantage of the constant CSRF token. However, with the continuous development of Web applications, there are more and more third-party OAuth mechanisms in various scenarios, and its problems and loopholes will be very noteworthy.

This is the end of the CSRF loophole on how to parse the Gmail authentication mechanism of Facebook. I hope the above content can be helpful to you and learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.