14 DAY TRIAL // Indian security researcher Prakhar Prasad has identified a way to hijack the accounts of Facebook users by exploiting an open redirect vulnerability in Quora.
The expert has discovered that by leveraging an open redirect flaw in Quora’s contacts import page, he could steal the Facebook OAuth “access_token” of any Quora user who had the Qoura app enabled and signed up to the service via Facebook.
It’s worth noting that the Quora Facebook app has over 500,000 monthly users, so the victim base for this attack was considerable.
According to the expert, the attacker had to convince the victim to click on a link that would steal their “access_token” and then redirect them to Facebook to avoid raising any suspicion. The open redirect vulnerability in Quora allowed the attacker to redirect victims to a script designed to perform the job.
With the “access_token” in hand, the attacker could perform various tasks, such as publishing a status on the victim’s timeline.
The issue was reported to Quora on June 9 and it was addressed by the company on June 14.
Additional technical details are available on Prakhar Prasad’s blog.