Pre-Access to Victim’s Account via Facebook Signup

Email not verified
https://example.com/auth2/access_token=Eposkdskdpo.........
Request Method: POST
{"email":"example@example.com","name":"hey","id":"fb-id"}
the email is returned only if verified
{"id":"facebookidnumber","name":"Myname"}
{"id":"facebookidnumber","name":"Myname","email":"victimemail@victim.com"}
Account already exists
  1. As attacker go on Facebook register an account using the phone number
  2. Now on an application where you see “Sign-In with Facebook” try to create an account
  3. After account creation verify by changing the name or profile picture then login with email by password reset and see same settings
  4. Now again login via Facebook to see that you still have access to that account
1. Victim should not have created a normal and facebook account and sign-in before
2. If Application alerts users about sign-in via facebook and allows social sign-in remove then impact goes very down
3. Most of applications when facing no-email would redirect to home page with response {"statusCode":400,"error":"invalid_grant","message":"Bad Request","error_description":"Bad credentials"}

--

--

--

Security is Fun

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

One simple step to make your web application secured from about 70% of web vulnerabilities

Security Token Market Real Estate Report: February 2021

Whitelist Lottery Winners

If Data is The New Oil, Then You’re The Oil

#2 Fawn — Starting point — Hack The Box Write-up

I Cry, You Cry, We all Cry

How to fix a slow computer — D.I.Y

Hack The Box — Laboratory — Write Up

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Akshansh JaisWal

Akshansh JaisWal

Security is Fun

More from Medium

CVE-2021- 41528: Flexera / RISC Networks — Vulnerable Authorization Schema

Searching for Deserialization Protection Bypasses in Microsoft Exchange (CVE-2022–21969)

A Defender’s Perspective of Sitecore XP Deserialization RCE (CVE-2021–42237)

Setup Android App Pen-testing environment on Mac-book M1