Facebook’s Parse OAuth2 Bug

In this post i’m going to show how i was able to hack into Parse accounts via OAuth vulnerability.
You can sign in into Parse by inserting your email and password or signing in with your Facebook account.

 

 

If we click on the “Log in with Facebook” button, a GET request is generated at this URL:

https://www.facebook.com/dialog/oauth?response_type=code&client_id=506576959379594&redirect_uri=https%3A%2F%2Fwww.parse.com%2Fauth%2Ffacebook%2Fcallback&state=3c580f78d588e40668b80dc9b1e310db576cc830e0d02d08&scope=email

 

The parameters that we have to consider are:

  • response_type
  • client_id 
  • redirect_uri 
  • scope 

So i started to create a forged URL that redirects the victim to a malicious site which saves the Parse token in a file.To do this,i started playing with the redirect_uri parameter to see if it allows access to subdomains or subfolders,and this was the result.



Allow request: 

  • xxx.parse.com                                   (Allow redirect to subdomains)
  • xxx.parse.com/xxx/                            (Allow redirect to subfolders)

 

I noticed that the redirect_uri allow access to subdomains and subfolders, so i looked for open redirect vulnerability in Parse’s domain and subdomains but i coulnd’t find anything.

I realized that Parse’s subdomains files.parse.com allows me to upload an html file, so i uploaded an html file which has some html code which redirects me to a malicious URL.The output URL to see the content of the page was:
http://files.parse.com/07c3d9cb-7a00-48c1-81d2-51d1f90bd8ad/68f9cc54-b661-4448-a4bb-0f413a1bcf8e-wow.html

Final POC (Facebook already fix this issue)

(Facebook Already fixed this issue):
https://www.facebook.com/dialog/oauth?response_type=token&client_id=506576959379594&redirect_uri=http://files.parse.com/07c3d9cb-7a00-48c1-81d2-51d1f90bd8ad/68f9cc54-b661-4448-a4bb-0f413a1bcf8e-wow.html&state=3c580f78d588e40668b80dc9b1e310db576cc830e0d02d08&scope=email

This URL will redirect the user to the site which has a script that takes the token and will save it in a file.