Bug in Facebook OAuth. Convert facebook test account to real account in instagram/ oculus
Facebook Provide you the ability to create test accounts for white hat testing. You can create it by visiting the url facebook.com/whitehat/accounts.
Facebook wants you to test for security issues using test accounts only and if you're unable to reproduce an issue with a test account, then it is okay to use a real account you own or you have to get permission from the account owner. Adding Facebook implemented certain limitations for the test accounts.
I stuck with the last one. Can't convert to a real user account. Ok let's try it.
I tried for about a day in different ways like using the fake email at account recovery system and so on but failed.
I was like
And then I thought that I might find a way abusing facebook oauth system with test accounts. Navigated to few sites which allows login with facebook.
But when I tried login with facebook, It shows an error. Oops!! again screwed.
Then I decided to stop there and went to bed because it was 3 AM at night. In the next day, I woke up at 12 (regular time), I thought that I already wasted a day for this PoS, now give it a last shot.
I chose Instagram (Facebook's acquisition) and tried to create an account via my linked facebook account. And Boom!!! Done. Completed successfully.
I completed the steps and tried to visit some profiles. Yes I can view other accounts, follow them and do everything. I created a real account in instagram using facebook test account.
I was like
Facebook wants you to test for security issues using test accounts only and if you're unable to reproduce an issue with a test account, then it is okay to use a real account you own or you have to get permission from the account owner. Adding Facebook implemented certain limitations for the test accounts.
I stuck with the last one. Can't convert to a real user account. Ok let's try it.
I tried for about a day in different ways like using the fake email at account recovery system and so on but failed.
I was like
And then I thought that I might find a way abusing facebook oauth system with test accounts. Navigated to few sites which allows login with facebook.
But when I tried login with facebook, It shows an error. Oops!! again screwed.
Then I decided to stop there and went to bed because it was 3 AM at night. In the next day, I woke up at 12 (regular time), I thought that I already wasted a day for this PoS, now give it a last shot.
I chose Instagram (Facebook's acquisition) and tried to create an account via my linked facebook account. And Boom!!! Done. Completed successfully.
I completed the steps and tried to visit some profiles. Yes I can view other accounts, follow them and do everything. I created a real account in instagram using facebook test account.
I was like
Tried with other facebook acquisition and found the same issue in oculus. But there's no way to interact with other users. And rest of the sites are safe from this.
Since the issue is in different endpoints, Created two reports one for instagram and the other one for oculus.
Impact on Oculus : NIL.
Impact on Instagram : Low Impact. Facebook allows creation of any number of test accounts. So People can increase their followers on instagram by- fooling the system. Once authenticated, the account data will be stored on instagram's db and hence it won't affect even if we delete the test account on facebook.
But facebook replied that
Liked this post? Buy me a coffee
Since the issue is in different endpoints, Created two reports one for instagram and the other one for oculus.
Impact on Oculus : NIL.
Impact on Instagram : Low Impact. Facebook allows creation of any number of test accounts. So People can increase their followers on instagram by- fooling the system. Once authenticated, the account data will be stored on instagram's db and hence it won't affect even if we delete the test account on facebook.
But facebook replied that
Here's the PoC video (for Instagram)
Liked this post? Buy me a coffee
Comments
Post a Comment