Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Oculus is a headset used for virtual reality that is owned by Facebook. Single Sign On (SSO) is a way for a single sign on application to allow for the authentication on other locations besides the primary provider. An example of this is Sign In With Facebook.

When going through the SSO flow, the login site has to redirect back to the main site. For instance, when using Sign In With Facebook to login into Instagram. The callback URL, or place to be redirected to, must be done securely. Otherwise, the authorization token could be stolen.

When using the Oculus SSO and redirecting back to the site, the redirect_uri is not properly restricted. Although the domain exact path must be matched, it is a fuzzy match.

By using a directory traversal, (../) an attacker can move up the directory until they find something suitable for an arbitrary redirect. When the arbitrary redirect on the main site occurs, the token will be redirected to the attackers site.

The interesting thing about this bug bounty report is that there was no actual exploitable site that was using Oculus SSO. However, it was an issue with Oculus itself! Because of this, the POC has a filler for the arbitrary redirect functionality that was labeled, instead of an actual vulnerability.