{Facebook Research1ng...}

PHP SDK issues

• OAuth 2.0: stealing code via redirect_uri tampering gives nothing
• Facebook JS/PHP SDK: code is issued with an empty redirect_uri:

src/base_facebook.php#L426
protected function getUserAccessToken() {
…
// the JS SDK puts a code in with the redirect_uri of ''
if (array_key_exists('code', $signed_request)) {
$code = $signed_request['code'];
…
$access_token = $this->getAccessTokenFromCode($code, '');
…

• redirect_uri tampering-based attacks are invisible

PHP SDK issues

signed_request takes priority over code-based authentication:

src/base_facebook.php#L525
protected function getUserFromAvailableData() {
// if a signed request is supplied, then it solely determines
// who the user is.
$signed_request = $this->getSignedRequest();
if ($signed_request) {
if (array_key_exists('user_id', $signed_request)) {
$user = $signed_request['user_id'];
signed_request parsed also from $_REQUEST, no CSRF checks:
src/base_facebook.php#L489
public function getSignedRequest() {
if (!$this->signedRequest) {
if (!empty($_REQUEST['signed_request'])) {
$this->signedRequest = $this->parseSignedRequest(
$_REQUEST['signed_request']);

PHP SDK issues

• PHP SDK compromises OAuth 2.0 authorization code grant flow
• Still not patched
• Impact:
• Downgrade attack (from code grant to signed_request -based flow)
• Session fixation (CSRF) with signed_request
• redirect_uri tampering and stolen signed_request means authentication bypass
• Lessons:
• Facebook PHP SDK is not for secure authentication
• Don’t trust code from external SDK





Text From: http://conference.hitb.org/hitbsecconf2013ams/materials/D2T1%20-%20Andrey%20Labunets%20and%20Egor%20Homakov%20-%20OAuth%202.0%20and%20the%20Road%20to%20XSS.pdf