Introduction
Oculus Developer support is the dedicated hub for developers and creators seeking to explore the limitless possibilities of virtual reality (VR) on the Oculus platform for more details see https://developer.oculus.com/support/
The finding
Having previously tested Oculus a few months ago without uncovering any bugs, I revisited the platform on September 17th for a fresh examination. During my exploration of the Oculus Developer domain, I stumbled upon an intriguing option labeled ‘Report a Bug.’ While this feature allows users to submit general bugs to the Oculus support team, I identified a potential security vulnerability. This flaw could have enabled unauthorized users to comment on private Oculus Developer bug reports by exploiting the knowledge of the victim’s comment ID
Reproduction Steps
Step 1: I initiated the process by creating a public bug and adding a comment. Following that, I replied to my own comment and intercepted the request using Burp Suite to scrutinize the parameters involved. The request structure looked as follows:
POST /graphql?locale=user HTTP/1.1
Host: graph.oculus.com
access_token=My-Access-Token&variables={"input":{"client_mutation_id":"1","comment_parent_id":"556190998150906","external_post_id":"548709645565708","message":"whatever"}}&blablabla
Step 2: In the analysis of the request, two parameters stood out:
- comment_parent_id: Refers to my bug ID (accessible from the URL link: https://developer.oculus.com/bugs/bug/your-bug-ID/).
- external_post_id: Refers to the ID of the comment (my comment) that I replied to.
Given these insights, two plans came to my mind:
Plan A: Initially, I attempted to add comments to other users’ private bugs by replacing my bug ID with theirs. Unfortunately, this approach did not yield the desired results.
Plan B: Shifting focus, I aimed to add comments on other users’ private bugs by altering the external_post_id
value to the comment ID of their private bug. Through testing with two separate accounts, this plan proved successful, bypassing their security measures since they were only verifying based on the bug ID and not the external_post_id
(comment ID). Remarkably, I knew that plan B will work when I was in the plan A stage, don’t ask my how !!, I just felt it.
Bug Limitation
This bug, while impactful, had a singular limitation: how could an attacker obtain other users’ comments IDs from their private bugs? Given that private bugs are only accessible to the bug owner and the support team, this presented a challenge. It’s indeed a formidable question, as discovering such information is inherently difficult, if not seemingly impossible.
However, even in the realm of heightened security measures, one must acknowledge the potential for inventive tactics. Imagine a scenario where an attacker somehow manages to uncover other users’ comments IDs or crafts a list of random comment IDs, initiating a methodical yet random attack. The possibilities are wide-ranging, reminding us that in the dynamic landscape of cybersecurity, everything is within the realm of plausibility.
Addressing and rectifying vulnerabilities of this nature is imperative. While the immediate exploit might seem complex, the broader perspective emphasizes the need for proactive solutions and continual vigilance in safeguarding user data and system integrity.
Timeline
Sarmad | 17 Sep 2018
Initial Report
Meta Bug Bounty | 19 Sep 2018
Report Triaged
Meta Bug Bounty | 05 Oct 2018
Bug Fixed
Sarmad | 05 Oct 2018
Fix Confirmed
Meta Bug Bounty | 10 Oct 2018
Bounty Awarded