Facebook Oculus Account Takeover Due to Access Token Theft by Exploiting Open Redirect Vulnerability

Oculus Account Takeover – A critical security vulnerability was discovered by bug hunter Youssef Sammouda on January 19, 2023, which potentially allowed malicious actors to steal access tokens and gain unauthorized access to Facebook and Oculus accounts. The vulnerability stemmed from the Oculus application’s use of a redirect URI, auth.oculus.com/login/, which was previously a valid endpoint for logging in to Oculus using Facebook accounts.

However, after Oculus switched to using Meta Accounts for login, the endpoint would redirect to auth.meta.com/oidc/ for login and then back to auth.oculus.com. This change removed a crucial protection against token leakage, making it possible for an attacker to steal the access token and use it to access the victim’s Facebook and Oculus accounts.

The bug hunter explained that the vulnerability was relatively simple to exploit. The attack involved tricking the victim into logging into their Meta account through a login CSRF, then redirecting them to a malicious URL that would steal the access token. The token would then be leaked to a third-party application, potentially allowing the attacker to gain full access to the victim’s accounts.

The bug hunter reported the vulnerability to Meta on August 27, 2022, and it was acknowledged and fixed on September 25, 2022. Meta awarded the bug hunter a bounty of $44250 for discovering and reporting the critical vulnerability Oculus Account Takeover.

This incident highlights the importance of prioritizing security and performing thorough testing when implementing changes to authentication systems. Meta’s prompt response and acknowledgement of the vulnerability demonstrate their commitment to protecting user accounts and ensuring the security of their platforms.

Link to read full write up: https://ysamm.com/?p=777

Save the PDF here