The way to Hack fb money owed With Oculus Integration

The way to Hack facebook accounts With Oculus Integration!

protection Researcher JOSIP FRANJKOVIC explains that How Cybercriminals can hack your fb account with the aid of move web page Request Forgery (CSRF) vulnerability assault. It enables them to connect a victim account to an attacker's Oculus account. it is able to be used by attacker to extract the sufferer's get right of entry to token once linked and use facebook's GraphQL queries to take over the account.

The vulnerability pronounced to fb on 24 Oct and it changed into briefly constant with the aid of fb team. whole repair was achieved on 30 Oct 2017. The restoration was to test if the presently logged-in user on Oculus fits the username parameter from the SSO link, this means that a login CSRF or reaction splitting or another way to set victim's cookies might defeat it.

a couple weeks later FRANJKOVIC found a login CSRF that could additionally be used to redirect the victim to an Oculus URL I selected - the best candidate to skip the primary fix.
upon getting the /facebook_login_sso/ $hyperlink, the following request can be made the use of cURL to auth.oculus.com/nonce-redirect/

curl -v --cookie "oc_ac_at=..snip.." --referer "https://auth.oculus.com/"  -d    "require_token_for=752908224809889&redirect_uri=https://www.oculus.com/account_receivable/?redirect_uri=$hyperlink"
https://auth.oculus.com/nonce-redirect/

The response contained an /account_receivable/ link with a nonce, which logs the victim into the attacker's Oculus account, and then redirects to the SSO link, skips the OAuth float, and connects the account.
Timeline:
18th of November, 2017, 02:forty - file sent to fb
18th of November, 2017, 05:10 - First respond from fb
18th of November, 2017, 10:00 - transient restore for the worm (disabled /facebook_login_sso/ endpoint over again)
11th of December, 2017 - worm is now fixed.

This time, the restore turned into to implement a CSRF test at the /account_receivable/ endpoint, AND upload an additional click on to verify the hyperlink among facebook and Oculus accounts.

JOSIP FRANJKOVIĆ is an net protection consultant, participating in diverse bug bounty applications. He is also one in all facebook’s pinnacle Whitehat journalists in view that 2013.