Remember the last OAuth Flaw in Facebook, that allow an attacker to hijack any account without victim's interaction with any Facebook Application, was reported by white hat Hacker 'Nir Goldshlager'. After that Facebook security team fixed that issue using some minor changes.
Yesterday Goldshlager once again pwn Facebook OAuth mechanism by bypassing all those minor changes done by Facebook Team. He explains the complete Saga of hunting Facebook bug in a blog post.
In recent discovered technique hacker found that next parameter allow facebook.facebook.com domain as a valid option and multiple hash signs is now enough to bypass Regex Protection.
He use facebook.com/l.php file (used by Facebook to redirect users to external links) to redirect victims to his malicious Facebook application and then to his own server for storing token values, where tokens are the alternate access to any Facebook account without password.
Example: https://www.facebook.com/l/goldy;touch.facebook.com/apps/sdfsdsdsgs (where 'goldy' is the 5 byte of data used).
Now at the last step, He Redirect the victim to external websites located in files.nirgoldshlager.com (attacker server) via malicious Facebook app created by him and victim's access_token will be logged there. So here we have the final POC that can hack any Facebook account by exploiting another Facebook OAuth bug.
For all browsers:
For Firefox browser:
This bug was also reported to Facebook Security Team last week by Nir Goldshlager and patched now, if you are a hacker, we expect YOU to hack it again !