Slack: Facebook Takeover using Slack using 302 from with access_token

ID H1:6017
Type hackerone
Reporter fransrosen
Modified 2015-01-11T15:25:45



I noticed that your Facebook application used in the "Import Photo" can be used to take over the Facebook account of the user being attacked.

It's multiple issues in one: 1. You have a 302 redirect from a domain. Hash-values will follow the redirect. 2. The Facebook application OAuth settings are too weak, and a will be accepted as the redirect_uri. You should restrict these to a that then redirects to the subdomain, instead of allowing all, or deny the as a OAuth redirect-subdomain.

So, the following URL will redirect the user to after authentication of the app (or if the user already has it approved, no client interaction is needed):

I have attached POC-images showing what happens and what the Token provides as it is today (you can modify the scope, the user needs to approve it, but it still looks legit coming from Slack).

Regards, Frans