ATO

Deep Dive into an OAuth Exploit: A 0-Day Case Study # Hello Everyone, In our continuous hunt for novel attack vectors and security challenges, mainteemoforfun and I embarked on an in-depth exploration of mobile authentication mechanisms. Our efforts culminated in the discovery of a striking 0-day vulnerability back in 2023 that has since been patched. This vulnerability enabled us to potentially hijack user sessions on websites utilizing Facebook’s “Login With Facebook” feature. By manipulating the redirect_uri parameter in the OAuth flow, an attacker could redirect authentication tokens to a host under their control.