In beginning of 2015 (01/22/15) when I was looking for BB I know that Oculus is under scope of Facebook BB
So when I product is in scope we should look for all sub and main domains . In that time the domain of Oculus was (https://developer.oculusvr.com/)
But there was a link in menu (https://answers.oculus.com/) so I went to it .
After some looking I found that you can upload images in comments , so I told my self let's play here .
How it's work ?
If you upload image in comment the first filter will check if the uploaded file is image and check
if it is a photo by check the name if it end with photos extensions .
the request include image=true .
I uploaded a file xxml.jpg , I used burp to intercept the request and change the content type to (text/xml)
and forward the request .
Boom
Now we uploaded xml . I tried .php , .html they were upload but give 500 server error !
So I want to do harmful attack what kind of files I need ?!? ahh " SWF "
SWF can be used for SOP bypass , XSS , Open redirect , Leak CSRF token because it was stored in cookies .
There a very useful tool by @evilcos called "xss.swf" you can find it here
Now let's do it again with .swf
Same thing intercept --> change content type to "application/x-shockwave-flash" --> forward
Here is a video for what I did
So we uploaded a evil swf file
Everything is good now let's report it to Facebook .
After I don't know how much because Facebook closed my account :p now
They replayed :
Hi Abdullah,
Thank you for your report.
This subdomain is actually not part of the Facebook bug bounty program and is hosted by AnswerHub. If you believe you have discovered a security vulnerability in that site, please consider responsibly disclosing it directly to them.
Thanks,
Mark
Security
It was disappointing replay because I think that every domain *.oculus.com were in scope .
But wait a I logged in using (api.oculus.com) so there are a hope to steal access token .
After some work . I found you can steal the token using the by upladed swf file redirect you and steal it (lost data while formatting :p) .
So the finial URL PoC :
https://api.oculus.com/v1/oauth2/authorize?client_id=answerHub&response_type=token%20id_token&nonce=-blahblah&state=&redirect_uri=https://answers.oculus.com/storage/attachments/131-xss.jpg&country=US&locale=en_US
Because the improper validation of redirect_uri on api.oculus.com I was able to change the value of it . And it can be used for open redirect using redirect_uri too and this will affect (api.oculus.com)
which is in the scope !!
I reported again
Hi , Mark
I know that it is hosted on answerhub and I will report them but if you see that answers.oculus.com can be used to steal access tokens from api.oculus.comand the will affect (api.oculus.com) which is in the scope it can be used to redirect as well
logged out and open this URL you will get the the page of login and when user log in he will redirect to swf file that steal access token and that will affect OAuth of Oculus
URL://URL
Open redirect for example
URL://URL
that should be bug in the system of oculus .
thanks
I got
Hi Abdullah,
Thanks again for writing in. The improper validation of redirect_uri on api.oculus.com was already known to us due to a previous report. There's a fix currently being tested.
As Mark mentioned, since answers.oculus.com is hosted by a third-party called AnswerHub, the issue of a stored XSS on AnswerHub is unfortunately out-of-scope. I'd encourage you to reach out to them directly and let them know about the issue.
Thanks,
Aaron Security Facebook
So I said if it is third-party I think there are other companies use it . I make google dork and search for it
I got some good result like Ebay, IBM !!
I did the same thing and here is it
Ebay
IBM
Good , now let's report it to AnswerHub . so I contacted to "Matthew Schmidt" the CTO of Dzone which is the builder of AnswerHub which is the paid service .
They didn't give any bounty they told me they will send a package of Dzone things . I didn't get anything I don't know if my bad post office lost it or they didn't sent it !! no one knows :p .
After weeks they published a release note without my name and I contacted them again and they wrote it with my wrong last name :p !
http://answerhub.com/releases/changelogs/answerhub-1.6.3-release-change-log/
I told Facebook for all of this and Neal Poole replayed me :
Hi Abdullah,
Glad to hear it!
Thanks,
Neal Security Facebook
That is all of it
Thanks for read you can contact me on my twitter @Abdulahhusam
Take care
