I am sharing one of my findings that I submitted to Facebook's Whitehat program earlier this year.
Facebook Ads Manager provides a sort of integration with MailChimp, to fetch data to Facebook Ads Manager.The application is a part of MailChimp website, it works on MailChimp OAuth 2.0 implementation and is purely developed by Facebook Developers. So once the MailChimp user authorises the application, it will send MailChimp data to Facebook Ads Manager.
OAuth Authorisation URL for Facebook Custom Audiences is/was:
I tried to play around with
redirect_uri to hijack the control flow, via different techniques but failed.I moved and started fiddling around the MailChimp OAuth 2.0 specs, I discovered something interesting, the specs talks about wildcard
So, I gave a second thought what-if Facebook had their
redirect_uri misconfigured to
*.facebook.com instead of
www.facebook.com. I tried a few requests such as the following and all worked:
So, basically I can tamper the
redirect_uri and hijack the OAuth flow to
[controlled].facebook.com.Moving on, it's evident that Facebook hosts 3rd party applications under apps.facebook.com/appname, using this a redirect url can be constructed which will point to a malicious 3rd party that will steal the MailChimp access_token using this Facebook Custom Audiences Application.
Final Attacking Steps would be:
- Attacker sends Facebook Custom Audiences OAuth link with tampered redirect_uri to the victim:
Victim Authorises the MailChimp application.
Attacker receives access_token using his malicious app hosted at
Facebook has fixed the vulnerability by restricting redirect_uri to
www.facebook.com and rewarded this bug.