Hijacking Facebook Account via Open Redirect Vulnerability in Quora App

by on June 16th, 2013

Developers have found open redirect vulnerability in Quora app for Facebook that made stealing Facebook accounts easy. Quora is a Facebook app that connects you to everything you want to know about and it has over 500,000 monthly users, so the victim base for this attack can be considerable. Here is a video demonstration of how to steal any friend’s Facebook account if target Facebook account has Quora app enabled in his Facebook.

The attacker had to send a link to victim by using Facebook chat that would steal victim’s “access token” and then redirect him back to Facebook. The open redirect vulnerability in Quora allowed the attacker to redirect victims to a script designed to perform the job.

With stolen “access token”, the attacker could perform any task, such as publishing a status on the victim’s Facebook timeline, changing password for Facebook account and any other task that a regular Facebook user can do while being in his Facebook account.

The issue was reported to Quora on June 9 2013, and it was addressed by the company on June 14 2013. [source]