|
|
|
|
|
|
by capsule_toy
4864 days ago
|
|
|
I'll take a shot at this, but I only did a cursory reading of the article. To begin with, I don't believe you are vulnerable through this exploit any more. Facebook has fixed this by changing the response in OAuth so that it would no longer trigger the block redirect. In particular:
"Facebook had '1; mode=block' header. Now it's 0; because of us" Every site using Facebook's OAuth was vulnerable. I don't believe the basic FB like button actually uses OAuth, but using FB as a way to login to your site would. The vulnerability takes advantage of Chrome's handling of the above response from the server. When it sees that response, it loads a separate page to prevent the request from going through. The problem is this particular page has details about the request, like OAuth credentials in the response, and allows a third party script to have access to details about the request. Once an attacker has access to OAuth credentials, they basically have access to the login credentials for that user (ie as if the user's username and password were compromised) Any user that is logged in to FB can have their OAuth app credentials compromised if they visited a site running this malicious code. |
|
|