InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties…

Follow publication

Member-only story

Facebook OAuth 2.0 Misconfiguration

Testing vuln.com for Auth Flows I found one

c0d3x27
InfoSec Write-ups
Published in
3 min readAug 13, 2021
Photo by NeONBRAND on Unsplash

Intro

If you had been following my cybersecurity articles, you already know that I don’t like to hunt on Facebook but every now and then their bugs just get in my way. This one, in particular, is one of those vulnerabilities.

What is OAuth?

OAuth is a commonly used authorization framework that enables websites and web applications to request limited access to a user’s account on another application, in this case, Facebook. Granting access without exposing login credentials to the requesting application. Users can decide the amount of data to share rather than giving full control of their accounts to a third-party application. Applications might use OAuth to request access to your email contacts list and use it to suggest people to it. However, this same mechanism can be used to provide third-party applications authentication services, allowing users to log in with an account that they have with a different website.

Note:

OAuth 2.0 is the current standard, some websites still use the legacy version 1. OAuth 2.0 was written from zero, not off OAuth v1. As a result, they are very…

Create an account to read the full story.

The author made this story available to Medium members only.
If you’re new to Medium, create a new account to read this story on us.

Or, continue in mobile web

Already have an account? Sign in

Published in InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. Subscribe to our weekly newsletter for the coolest infosec updates: https://weekly.infosecwriteups.com/

Written by c0d3x27

OSCP || OSWE || CompTIA CYSA+, Sec+, A+, ITF+, CSAP | | 0-day Researcher | | Security Consultant

Responses (2)

Write a response