Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

OAuth is a protocol that is used for third-party sign ons all over the place. Facebook has their own OAuth provider that can be used to login to multiple things.

The OAuth flow is quite complicated. In the context of OAuth, an arbitrary redirect is an automatic game over because of how the flow of OAuth works. The arbitrary redirect can get the users code that logs them into a site via OAuth.

Facebooks OAuth has a preformatted response when requesting an access token or authorization code via postMessage. When specifying the target origin on the request, a fallbackmeasure could be triggered if no opener window was found.

This fallback URI did NOT have a strict validation on it; it only validated that the path is ON Facebook.com. By using a previously discovered Open Redirect on instagram, we had a bypass for the redirect_uri check.

Using two chained redirects, the access token that a user has gained from logging in could be stolen. Facebook gave the author 30K for the finding and an additional 12K after a bypass to the fix had been found.