利用 Oculus VR 的 CSRF 漏洞实现劫持关联的 Facebook 账号

发布时间：2018-01-16 14:34:39

<p>Oculus enables users to connect their Facebook accounts for a more "social" experience. This can be done using both the native Windows Oculus application and using browsers. I took a deeper look at the native Windows flow, and found a CSRF vulnerability which allowed me to connect a victim's Facebook account to attacker's Oculus account. Once connected, the attacker could extract the victim's access token, and use Facebook's GraphQL queries to take over the account. 
</p>

<h4>Steps to take over the victim's Facebook account:</h4>

<ol>
    <li><p>Using the attacker's Oculus account, create the following GraphQL mutation. The mutation should be sent to graph.oculus.com/graphql, with the attacker's Oculus access_token:</p>
        <div><pre>Mutation Test {<br>        facebook_sso_uri_generate( &lt;input&gt; ) { uri } }<br>        &amp;query_params={"input":{"client_mutation_id":"1"}}</pre></div></li>
    <li><p>The response will contain a link similar to this:
            https://www.oculus.com/facebook_login_sso/?username=josip.tester1&amp;ext=1508804050&amp;hash=AeQ6a90lgYfffT5k
            The idea behind the link is to enable a single click integration between the two services.</p></li>
    <li><p>If the victim clicks on the link or visits a page which renders it as the src attribute on an &lt;img&gt; tag, their Facebook account will be connected to the attacker's Oculus account. In the background, the link actually <strong>redirects to Facebook's OAuth flow, skips it, and then connects the two accounts.</strong></p></li>
</ol>

<p>At this point I thought about reporting this to Facebook, since the attacker could view victim's partial friend list and other minor information, but decided to dig a bit deeper into the native application. The app's app.asar contained references to a GraphQL query which returned information about the connected Facebook account:
</p>
<div><pre>viewer(){ linked_accounts_info { facebook_account { <strong>facebook_id</strong> } } } </pre></div>
<p>Getting the Facebook ID is useless - it is public anyway. However...</p>

<ol start="4">
    <li><p>After a bit of guessing, I found out it is also possible to query for the victim's Facebook <strong>access_token:</strong></p></li>
</ol>
<div><pre>viewer(){ linked_accounts_info { facebook_account { <strong>access_token</strong> } } } </pre></div>
<p>
    A screenshot of the request and the response:
    <img src="http://pgicons.cn-bj.ufileos.com/img_discover/151608394278bfd14ed8b565b3bdc8fcc4375f4efc1da2e3e0.png" data-jslghtbx="">
    
This is a <strong>first-party access_token</strong>, which also has access to Facebook's GraphQL endpoint - third party apps are not allowed to do that. Once you get such a token, you have <strong>full control</strong> of the account.
<br>By previously decompiling various Facebook apps, I had recorded some persisted GraphQL queries. I used these to prove the account takeover and add a new phone number to my test victim's account:
</p>
<ol start="5">
    <li><p>doc_id is the persisted query ID, matching the "SendConfirmationMutation" mutation which adds a new mobile phone.
        </p>
        <div><pre>graph.facebook.com/graphql?<strong>doc_id=10153582085883380<br></strong>&amp;variables={"input":{"client_mutation_id":1,"actor_id":"FBID",<br>"phone_number":"<strong>+PHONENUMBER</strong>"}}<br>&amp;access_token=<strong>VICTIMTOKEN</strong><br></pre>
        </div></li><li><p>After the confirmation code arrives, we can confirm it using "ConfirmPhoneCodeMutation":
        </p>
<div>
<pre>graph.facebook.com/graphql?<strong>doc_id=10153582085808380</strong><br>&amp;variables= {"input":{"client_mutation_id":1,"actor_id":"FBID",<br>"confirmation_code":"<strong>CODE</strong>"}}&amp;<br>method=post&amp;access_token=<strong>VICTIMTOKEN</strong><br></pre>
</div></li>
<li><p>Finally, reset the victim's password using the attacker's confirmed mobile phone.</p></li>
</ol>

<h4>Timeline:</h4>

- 24th of October, 2017, 03:20 - Report sent to Facebook
- 24th of October, 2017, 10:50 - First reply from Facebook
- 24th of October, 2017, 11:30 - Temporary fix for the bug (disabled /facebook_login_sso/ endpoint)
- 30th of October, 2017 - Bug is now fixed.

<p>
    The fix was to check if the currently logged-in user on Oculus matches the username parameter from the SSO link, which means a login CSRF or response splitting or any other way to set victim's cookies would defeat it.
    <br>
    A couple weeks later I found a login CSRF which could also be used to redirect the victim to an Oculus URL I chose - the perfect candidate to bypass the first fix. Steps to reproduce are the same as in the first bug, with an additional one between steps 2 and 3:
</p>
<p>
    After getting the /facebook_login_sso/ <strong>$LINK</strong>, the following request could be made using cURL to auth.oculus.com/nonce-redirect/
</p>
<div><pre>curl -v --cookie "oc_ac_at=..snip.." --referer "https://auth.oculus.com/"  -d    "require_token_for=752908224809889&amp;redirect_uri=https://www.oculus.com/account_receivable/?redirect_uri=<strong>$LINK</strong>"<br>https://auth.oculus.com/nonce-redirect/</pre></div>
<p>The response contained an /account_receivable/ link with a nonce, which logs the victim into the attacker's Oculus account, and then redirects to the SSO link, skips the OAuth flow, and connects the account.</p>

<h4>Timeline:</h4>
- 18th of November, 2017, 02:40 - Report sent to Facebook
- 18th of November, 2017, 05:10 - First reply from Facebook
- 18th of November, 2017, 10:00 - Temporary fix for the bug (disabled /facebook_login_sso/ endpoint once again)
- 11th of December, 2017 - Bug is now fixed.

<p>This time, the fix was to implement a CSRF check on the /account_receivable/ endpoint, AND add an additional click to confirm the link between Facebook and Oculus accounts. I believe this properly fixes the vulnerability without degrading user experience too much. </p>
<p>As always, a big thank you to Facebook for running their bug bounty program. Shout-out to <a>Pete Yaworski</a>&nbsp; for proofreading this blog, and to <a>@phwd</a>&nbsp; for his awesome GraphQL / API <a>write-ups.</a>&nbsp; </p>

原文 / From www.josipfranjkovic.com/blog/hacking-facebook-oculus-integration-csrf