Login to any user account using other facebook app access token
Unknown
Vulnerability Details
Vulnerable Url: https://api.imgur.com/generatetoken/thirdpartynativeandroid?type=facebook
Vulnerable Param: access_token
Attck:
Hacker can build own facebook app and get victim's facebook access token and use that access token to login into imgur account
POC: https://drive.google.com/file/d/0B9bnr9ZtF2QsYktlRVFPUDB2SmM/view?usp=sharing
Prevention: Validate access token and check app id is equal to 127621437303857
Actions
View on HackerOneReport Stats
- Report ID: 101977
- State: Closed
- Substate: resolved
- Upvotes: 67