folder Filed in General, PoC Gallery, Write Ups
Hijacking User's Private Information access_token from Microsoft Office360 facebook App
Mohamed A. Baset comment 0 Comments access_time 4 min read

Hi Guys, Today i would like to show you how a single misconfiguration issue would jeopardize the user’s privacy if maliciously exploited hence hijack user “access_token” from Microsoft Office360 facebook App. Microsoft decided that this Office365 facebook app is NOT under their Microsoft Online Services bug bounty scope although we proved that our discovered bug can result in stealing Microsoft Office facebook App Access Token and that’s due to a misconfiguration in Microsoft Office Facebook App itself.


Remember Cambridge Analytica and the Facebook data leak? It was via one of the application that CA did to harvest the data of millions of American users. That being said, and with this discovered bug can be exploited on large scale user scope of misconfigured Microsoft Office 365 Facebook App to steal the access token of the users who gave access to it hence hijack their private information (data specified in the scope of the fb app itself)


About Microsoft Office facebook App:

Microsoft Office facebook App is used to exchange data with microsoft platforms (outlook, office, office 360, etc..) data like contacts, etc..


The issue:
Microsoft office facebook app is configured to do a valid redirection to * that means not specified any protocols (http/https) and no subdomains ( which with a help of arp poisoning and injecting this piece of code in user’s traffic (any traffic) the attacker will be able to catch the access token among the traffic data, We added “response_type=token” to get the access_token instead of “user code” and because of the fact that a lot of facebook user’s have granted access to a trusted application like this one we *attackers* won’t be bothered by waiting the victim to grant access to the application again (already granted access time before the attack).


The real life attack vectors:
1. [Remotely] Via Invalidated Redirects

As stated in Microsoft Online Services bug bounty rules: “URL Redirects (unless combined with another vulnerability to produce a more severe vulnerability)”

We managed to get the following results as PoC examples:,user_about_me,friends_about_me,email,user_activities,friends_activities,user_birthday,friends_birthday,user_education_history,friends_education_history,user_hometown,friends_hometown,user_interests,friends_interests,user_website,friends_website,user_work_history,friends_work_history,user_status,friends_status,user_photo_video_tags,friends_photo_video_tags,user_photos,friends_photos,user_videos,friends_videos,friends_location,friends_interests&response_type=token&

Which will results in stealing user’s access token by redirecting it *in our example domain* to “”

PoC Video:

2. [Locally] Via MiTM Attacks
Because of the fact that our redirection endpoint could be to an “http” connection (like in the first attack vector) a local attacker can initial a man in the middle attack and inject a little piece of javascript code in the traffic to hijack the fragmented url and get the access token.

PoC Video:

Attackers will be able to gain access to this facebook app permissions after stealing the user’s “access_token“: (offline_access, user_about_me, friends_about_me, email, user_activities, friends_activities, user_birthday, friends_birthday, user_education_history, friends_education_history, user_hometown, friends_hometown, user_interests, friends_interests, user_website, friends_website, user_work_history, friends_work_history, user_status, friends_status, user_photo_video_tags, friends_photo_video_tags, user_photos, friends_photos, user_videos, friends_videos, friends_location, friends_interests )


Hope you enjoyed it.


Your attention please!
Building a website? Or already built a one? Worried about your security? Think twice before going public and let us protect your business!

access_token App Facebook hijacking! Information Microsoft Office360 private Users

Leave a Reply

Your email address will not be published. Required fields are marked *

Cancel Post Comment

Translate this blog