Member-only story
Facebook OAuth 2.0 Misconfiguration
Testing vuln.com for Auth Flows I found one
Intro
If you had been following my cybersecurity articles, you already know that I don’t like to hunt on Facebook but every now and then their bugs just get in my way. This one, in particular, is one of those vulnerabilities.
What is OAuth?
OAuth is a commonly used authorization framework that enables websites and web applications to request limited access to a user’s account on another application, in this case, Facebook. Granting access without exposing login credentials to the requesting application. Users can decide the amount of data to share rather than giving full control of their accounts to a third-party application. Applications might use OAuth to request access to your email contacts list and use it to suggest people to it. However, this same mechanism can be used to provide third-party applications authentication services, allowing users to log in with an account that they have with a different website.
Note:
OAuth 2.0 is the current standard, some websites still use the legacy version 1. OAuth 2.0 was written from zero, not off OAuth v1. As a result, they are very…