In recent few months White hat Hacker ,'Nir Goldshlager' reported many critical bugs in Facebook OAuth mechanism, that allowed an attacker to hijack any Facebook account without user's interaction. 

Another hacker, 'Amine Cherrai' reported a new Facebook OAuth flaw, whose exploitation is actually very similar to Nir Goldshlager's findings but with a new un-patched way.
Before reading further, I would like to suggest you to read following post to understand the basic exploitation mechanism:
  1. Facebook OAuth flaw allows gaining full control over any Facebook account
  2. Facebook hacking accounts using another OAuth vulnerability
  3. URL Redirection flaw in Facebook apps push OAuth vulnerability again in action
Now, if you are aware about the vulnerability used against Facebook OAuth in redirect_uri parameter in  the URL, there is another way that Amine Cherrai found, to bypass the patch applied by Facebook security team.

He found another file on Facebook, that allow redirection to steal access_token of victim's accounts. i.e http://facebook.com/connect/xd_arbiter.php?#&origin=http://facebook.com/” . Successful exploitation once again allowed hacker to hijack Facebook accounts using OAuth Flaw. 

Proof of concept :
http://facebook.com/dialog/oauth?client_id=350685531728&response_type=token&display=page&redirect_uri=http%3A%2F%2Ftouch.facebook.com%2Fconnect%2Fxd_arbiter.php%3F%23%21%2Fapps%2Fmidnighthack%2F%3F%26origin%3Dhttp%3A%2F%2Ffacebook.com%2F

Video Demonstration:

By the way this bug was closed by Facebook Security Team few days back and your social accounts are once again secured, till next finding !

Have something to say about this article? Comment below or share it with us on Facebook, Twitter or our LinkedIn Group.