XSS in virtual reality forum one of three flaws chained to land bumper payout
A security researcher has earned a $30,000 bug bounty payout after seizing control of Facebook and Oculus accounts via exploitation of a trio of security vulnerabilities.
Owners of Oculus virtual reality headsets can log into their Oculus accounts via Facebook, which acquired the virtual reality (VR) pioneer in 2014. (Its latest model, Oculus Quest 2, can only be used via Facebook, prompting Germany’s antitrust watchdog to launch a probe).
Combined with two other flaws, a cross-site scripting (XSS) vulnerability found in the Oculus community forum domain could enable a malicious attacker to steal an Oculus access token and compromise the corresponding user’s accounts, Tunisian security researcher Youssef Sammouda discovered.
“This was possible because [the] forums.oculusvr.com domain uses [the] oculus.com authentication mechanism to login users to the forum using [the] https://graph.oculus.com/authenticate_web_application/ endpoint,” Sammouda said in a blog post documenting his findings.
This “would redirect him to https://forums.oculusvr.com/entry/oculus with an oculus access_token that could access graph.oculus.com/graphql and make GraphQL mutations/queries that allow him to takeover the account.”
In the iframe
Sammouda found that if the script embedded in https://forums.oculusvr.com/plugins/oculus/js/oculus-oauth.js and had debug mode enabled, it insecurely used document.write to add state parameter content inside the URL’s fragment (#state=PAYLOAD).
He served the payload with ‘state’, because although document.location was passed to document.write, it was in the payload’s URL-encoded format. Nevertheless, ‘state’ was in the decoded format.
What seemed to be an “easy XSS” proved otherwise, since var loginType = this.frameElement.id preceded document.write – returning ‘TypeError: Cannot read property ‘id’ of null’.
This could be solved to achieve an exploit by adding an iframe to https://forums.oculusvr.com/entry/oculus#state=payload and relaying the final link to the victim.
The researcher achieved this via Vanilla Forums, a third-party application hosted by the Oculus forum that allows embedded content from certain allow-listed websites.
One such site contained a vulnerability (now patched) that permitted Sammouda to redirect the payload from the embedded Vanilla Forums page to https://forums.oculusvr.com/entry/oculus.
Account takeover was initially stymied because changing the PIN or password, or adding contact points, required knowledge of a user PIN, while the Oculus forum domain couldn’t read the linked Facebook account access_token (a technique credited to fellow security researcher Josip Franjković).
Fortunately, Sammouda uncovered a third bug that allowed him “to upgrade the access_token to the context of another application” and bypass the Oculus forum’s “limited permissions”.
The third-party application could read the linked Facebook access_token, paving the way for takeover of both the Facebook account and, via the endpoint https://graph.oculus.com/fbauth, the Oculus account.
Sammouda told The Daily Swig that while chaining the bugs amplified the exploit’s severity, the XSS was only moderately difficult to unearth “since I already knew where to look for bugs (in code and endpoints added by Facebook to Vanilla Forums), and “the third one was easy to find since the vulnerable endpoint was mainly used for a similar purpose”.
Just in scope
Sammouda alerted Facebook to the flaws on November 24 and the social media giant fixed them on December 1.
Although the forums.oculus.com domain is out of scope in Facebook’s bug bounty program because it hosts a third-party application, the social media company made an exception on this occasion since the XSS “was found in the authentication flow added by Facebook”, said the researcher.
His bonus-inflated $30,000 payout surpasses the $25,000 he netted after unearthing a DOM-based XSS in Facebook in October 2020, as previously reported by The Daily Swig.