Two stage attack to fully takeover a facebook account.

First stage leaks a read-only access token and is centered on a couple open-redirects in apps.crowdtangle.com. First is that when you access any page that requires a login, it will set a redirect_url cookie, then redirect you to /auth for the user to actually login. This cookie is also used by /facebook/auth which is where Facebook’s oauth flow would redirect back to.

There was also a more general open-redirect on the custom pages feature where a /hash/ would be used to redirect. THis hash could be crafted to redirect to an attacker page.

So the chain of the first attack is to trigger the redirect_url to be set to the attackers /CUSTOM_PAGE/e/x/x/HASH/ page. Then make a request to facebook.com’s oauth endpoint with /facebook/auth as the redirect url (which is the proper target) and response_type=token. Once the victim logs in with facebook they’ll be redirected to /facebook/auth which redirects to the attackers /hash/ page, which redirects them to the attacker with the token in the url.

Stage two is upgrading this token. For this the author takes advantage of a “device login” feature which is meant to things like TVs which don’t have an easy input UI. Instead of entering your credentials you get prompted with a one-time code to enter. The page requests necessary to start this process are protected by CSRF tokens. Fortunately the previously obtained token can be used to read the CSRF token out of the graphql database. So they can fake the flow and obtain a full login.