Facebook MailChimp Application OAuth 2.0 Misconfiguration
I am sharing one of my findings that I submitted to Facebook's Whitehat program earlier this year.
Facebook Ads Manager provides a sort of integration with MailChimp, to fetch data to Facebook Ads Manager.The application is a part of MailChimp website, it works on MailChimp OAuth 2.0 implementation and is purely developed by Facebook Developers. So once the MailChimp user authorises the application, it will send MailChimp data to Facebook Ads Manager.
OAuth Authorisation URL for Facebook Custom Audiences is/was:
https://login.mailchimp.com/oauth2/authorize?response_type=code&client_id=112041070777&redirect_uri=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanage%2Fcontact_importer_auth%2F
I tried to play around with redirect_uri
to hijack the control flow, via different techniques but failed.I moved and started fiddling around the MailChimp OAuth 2.0 specs, I discovered something interesting, the specs talks about wildcard redirect_uri
.
So, I gave a second thought what-if Facebook had their redirect_uri
misconfigured to *.facebook.com
instead of www.facebook.com
. I tried a few requests such as the following and all worked:
https://login.mailchimp.com/oauth2/authorize?response_type=token&client_id=112041070777&redirect_uri=https%3A%2F%2Ftest.facebook.com%2Fderp%2F
https://login.mailchimp.com/oauth2/authorize?response_type=code&client_id=112041070777&redirect_uri=https%3A%2F%2Fderp.facebook.com%2Fblahblah%2F
So, basically I can tamper the redirect_uri
and hijack the OAuth flow to [controlled].facebook.com
.Moving on, it's evident that Facebook hosts 3rd party applications under apps.facebook.com/appname, using this a redirect url can be constructed which will point to a malicious 3rd party that will steal the MailChimp access_token using this Facebook Custom Audiences Application.
Final Attacking Steps would be:
- Attacker sends Facebook Custom Audiences OAuth link with tampered redirect_uri to the victim:
https://login.mailchimp.com/oauth2/authorize?response_type=token&client_id=112041070777&redirect_uri=https%3A%2F%2Fapps.facebook.com%2Fattacker%2F
-
Victim Authorises the MailChimp application.
-
Attacker receives access_token using his malicious app hosted at
https://apps.facebook.com/appname
Facebook has fixed the vulnerability by restricting redirect_uri to www.facebook.com
and rewarded this bug.