0x00

Friday, February 12, 2016

How I hacked [Oculus] OAuth +Ebay +IBM


Hi ,

In beginning of 2015 (01/22/15) when I was looking for BB I know that  Oculus is under scope of Facebook BB





So when I product is in scope we should look for all sub and main domains . In that time the domain of  Oculus  was  (https://developer.oculusvr.com/)

But there was a link in menu (https://answers.oculus.com/)  so I went to it .



After some looking  I found that you can upload images in comments , so I told my self let's play here .


How it's work ? 

If you upload image in comment the first filter will check if the uploaded file is image and check

if it is a photo by check the name if it end with photos extensions .

the request include image=true  .

I uploaded a file  xxml.jpg , I used burp to intercept the request and change the content type to (text/xml)

and forward the request  .

Boom




Now we uploaded xml . I tried .php , .html they were upload but give 500 server error !

So I want to do harmful attack what kind of files I need ?!? ahh " SWF "


SWF can be used for SOP bypass , XSS , Open redirect , Leak CSRF token because it was stored in cookies .


There a very useful tool by @evilcos  called "xss.swf"  you can find it here 

Now let's do it again with .swf

Same thing  intercept  --> change content type to "application/x-shockwave-flash" --> forward


Here is a video for what I did







So we uploaded a evil swf file







Everything is good now let's report it to Facebook .


After I don't know how much because Facebook closed my account :p now


They replayed :

Hi Abdullah,

Thank you for your report.

This subdomain is actually not part of the Facebook bug bounty program and is hosted by AnswerHub. If you believe you have discovered a security vulnerability in that site, please consider responsibly disclosing it directly to them.

Thanks,

Mark
Security
Facebook



 It was disappointing replay because I think that every domain *.oculus.com were in scope .

But wait a I logged in using (api.oculus.com) so there are a hope to steal access token .

After some work . I found you can steal the token using the by upladed swf file redirect you and steal it (lost data while formatting :p) .


So the finial URL PoC :


https://api.oculus.com/v1/oauth2/authorize?client_id=answerHub&response_type=token%20id_token&nonce=-blahblah&state=&redirect_uri=https://answers.oculus.com/storage/attachments/131-xss.jpg&country=US&locale=en_US


Because the improper validation of redirect_uri on api.oculus.com I was able to change the value of it . And it can be used for open redirect using redirect_uri too and this will affect (api.oculus.com)
which is in the scope !!

I reported again


Hi , Mark 
I know that it is hosted on answerhub and I will report them but if you see that answers.oculus.com can be used to steal access tokens from api.oculus.comand the will affect (api.oculus.com) which is in the scope it can be used to redirect as well 

logged out and open this URL you will get the the page of login and when user log in he will redirect to swf file that steal access token and that will affect OAuth of Oculus
URL://URL
Open redirect for example 
URL://URL
that should be bug in the system of oculus .
thanks 


I got

Hi Abdullah,
Thanks again for writing in. The improper validation of redirect_uri on api.oculus.com was already known to us due to a previous report. There's a fix currently being tested.
As Mark mentioned, since answers.oculus.com is hosted by a third-party called AnswerHub, the issue of a stored XSS on AnswerHub is unfortunately out-of-scope. I'd encourage you to reach out to them directly and let them know about the issue.
Thanks,
Aaron  Security   Facebook

So I said if it is third-party I think there are other companies use it . I make google dork and search for it 

I got some good result like Ebay, IBM !! 

I did the same thing and here is it 


Ebay 



IBM



Good , now let's report it to AnswerHub . so I contacted to "Matthew Schmidt" the CTO of Dzone which is the builder of  AnswerHub  which is the paid service . 

They didn't give any bounty they told me they will send a package of Dzone things . I didn't get anything I don't know if my bad post office lost it or they didn't sent  it  !! no one knows :p .

After weeks they published a release note without my name and  I contacted them again and they wrote it with my wrong last name :p ! 

http://answerhub.com/releases/changelogs/answerhub-1.6.3-release-change-log/

I told Facebook for all of this and Neal Poole replayed me : 

Hi Abdullah,
Glad to hear it!
Thanks,
Neal  Security Facebook 


That is all of it 

Thanks for read you can contact me on my twitter @Abdulahhusam

Take care