|
|
|
|
|
|
by jfroma
4438 days ago
|
|
|
Basically the vulnerability is in the facebook side. Every oauth provider has a list of "allowed redirect uris", a good oauth provider will check the entire url, but facebook doesn't check the query string in the url. If you have a list of allowed redirects like: - http://foo.com
- http://foo.com/foo Facebook accepts redirects like:
- http://foo.com?anything_here=xx And if the client has an open redirect, some query string to redirect anywhere combined with response_type token.. the evil website can get the token. |
|
|