In recent few months White hat hacker Nir Goldshlager reported many critical bugs in Facebook OAuth mechanism, that allowed an attacker to hijack any Facebook account without user's interaction.
Another hacker 'Amine Cherrai' reported a new Facebook OAuth flaw, whose explotation is actually very similar to Nir Goldshlager's findings but with a new un-patched way.
Now, if you are aware about the vulnerability
used against Facebook OAuth in redirect_url parameter in the URL, there
is another way that Amine Cherrai found, to bypass the patch applied by
Facebook security team.
He found another file on Facebook, that allow redirection to steal access_token of victim's accounts.
i.e http://facebook.com/connect/xd_arbiter.php?#&origin=http://facebook.com/”
Successful explotation once again allowed hacker to hijack Facebook accounts using OAuth Flaw.
Proof of concept:
http://facebook.com/dialog/oauth?client_id=350685531728&response_type=token&display=page&redirect_uri=http%3A%2F%2Ftouch.facebook.com%2Fconnect%2Fxd_arbiter.php%3F%23%21%2Fapps%2Fmidnighthack%2F%3F%26origin%3Dhttp%3A%2F%2Ffacebook.com%2F
Hope you guys found it useful.
If you have any doubts regarding the above 0day, please do mention it below in comments.
I will try to answer you as soon as possible.
Thanks
