Gaining Access To The Oculus Developer Database

One of the hackers over at Bitquark popped a shell on on the Oculus Developer Portal giving him full reign over the special admin panel inside. If he felt so inclined, this allowed him edit users, modify projects, add news articles, edit the dashboard, upload SDK files, and variety of other goodies.

The process started by using a SQL injector called BSQLi to test out parameters, cookies, and headers. Injecting into the header revealed that the Oculus team members were inserting X-Forwarded-For headers directly into the database without proper escape formatting. This got him in the door, and with a little assistance from sqlmap, the database was enumerated, and a pattern was recognized. Oculus passwords that were stored in the DB were heavily hashed. However, the user session variables remained unprotected. A SQL query was quickly built, the latest admin session was promptly extracted, and then the information was plugged in granting access to the portal. A bit more snooping around uncovered that the AJAX eval() preview script wasn’t secured by a CSRF token which could easily be exploited by a malicious hacker.

The findings were then turned into Facebook who paid the guy $15,000 for the first vulnerability plus the privilege escalation attack. $5,000 was then awarded for each subsequent SQL injection as the admin account takeover vulnerability that was found, giving the guy a nice payout for a week’s worth of work.

23 thoughts on “Gaining Access To The Oculus Developer Database

  1. You know when a security professional breaks into something (to prove how insecure and vulnerable it really is — with no malicious intention of any kind) — needs to be rewarded in some way. When someone does this ‘to help out’, and doesn’t get rewarded or acknowledged — what’s to stop them the next time from doing something malicious?
    So, I’m glad facebook paid the guy — rather than report him to the authorities.

    1. That’s a very delicate question, and it can go many different and unpredictable ways. Right now if you accidentally discover a vulnerability on your bank’s site, and report it to them, it’s a toss up whether they’ll thank you, reward you, or turn you over to the authorities. For many security people, they have reduced their personal risk by turning to gray market selling of vulnerabilities: cash up front, no questions asked. But by offering a bounty, the owners can at least state their intentions up front: “we will pay you and not prosecute you as long as you disclose them to us on our terms and conditions.” It’s safer for the hacker, and safer for the site.

  2. I have spent many years in web development and server management so I have a lot to do with web security. However I come to this site for the hardware hacking content.

    It’s a huge leap from hardware hacking to web hacking and that is going to be far too big a leap for many visitors here. HAD may pick up more hits but it will be at the expense of your user base.

    I personal don’t want to see this sort of content here and that is coming from someone who you may expect to find this relevant.

    1. Web development isn’t assembly, but security is security. Paying attention to that is something every hardware, and software, hacker should know too.

      And why is your opinion so valuable on this topic of what stories should be posted? Look back in the archives, see how few stories were posted per day early on; and compare that to now. Do you think that this short little story cluing folks in to a fairly big problem is going to eat up the author’s time so much that you’ll be deprived of stories you really want to read?

      Or, tell the truth, you wrote the POS interface that got busted and just don’t want anyone to notice.

        1. I like how he just gets slowly angrier and angrier. You can imagine that by the 5th paragraph it’s pure abuse, by the 6th it’s degraded to a stream of curses before finally approaching the 7th paragraph of !$%”£!”

          1. I was hoping I got that across well. I kept editing things til I thought the aggravation elevated at the right order, but one can never be sure. The original post progressed the same way (I don’t like this, other people won’t like this, HAD shouldn’t do this at all) so I wanted to try an extreme response.

            Glad the joke wasn’t missed entirely.

        2. See my reply to millsy; but I wanted to try to troll in the same pattern that the classic “i hate this post” troll poster uses. Maybe Bob really does hate this and think it will ruin Hack A Day, but it’s also a pretty classic troll even in the usenet days. See “concern troll”; plus Bob’s self’s righteous “I personal don’t want to see this sort of content here and that is coming from someone who you may expect to find this relevant.” just aggravated me into action.

          I actually spent a good bit of the time writing it giggling and trying to figure out how much I could get away with before the admins tossed my post. Seems I managed so far.

    2. Disclaimer: As a software dev, I find this story very interesting.

      Even so, I kindof agree with your point. I come here to see people use common materials to do the awesome, as well as hardware/electronics hacks and great designs.

      I don’t think you’re saying “don’t do this”, but more “don’t do this to excess”. Which is something I can get behind.

    3. It’s not like they tossed up a story about some random site, this was a very specific article. It is relevant as it pertains to a piece of hardware which has been previously posted on HAD.

  3. I don’t want to come over as negative but this is pretty much sql injection 101. It’s literally just pointing a program/script at a site which tests various types of injection to try find an unescaped SQL query.

    The only reason why it’s news worthy is because FB bought Oculus Rift and they have a good policy of paying out for ‘exploits’.

    This is the same way most sites are “hacked” now days and is why open source, openly tested platforms are generally safer than a homegrown CMS.

  4. I found this content interesting and relevant. The HaD community is aware of the Oculus Rift, it might be of interest then to the community to be aware that an unauthorized party gained access to private data within that company. I enjoy reading about hardware hacks, but I also enjoy reading an occasional CTF challenge write up. I therefore welcome the ablility to scratch both itches at one site when there is a natural cross over given the aforementioned community relevance of the subject. To those not interested in the software security arena, I suggest reevaluating those views. Our hardware is increasingly software driven, and our software problems in the server and desktop domain increasing have direct relevance within the embedded platforms context.

  5. I for one liked this story. I may have felt differently if there was no connection to the Oculus Rift as this is a pretty cut and dry SQL injection attack (although putting together a working control panel was a nice touch).

    The part of the story that saddens me is that we’re *still* leaving sites vulnerable to injection. I’ve run into this scenario on http://stackoverflow.com so many times that I wrote a blog post to point people to so I didn’t have to explain it every time:

    http://www.richquackenbush.com/2011/02/bind-variables.html

  6. I thought hackaday was all about hacking and not cracking?
    Nice story with a bit of sunshine in the end but I concur with (most of) the audience – this is perhaps not the best forum for such a story.
    Had he build a hardware-gizmo to hack the DB it’d be a different story altogether…

  7. Its not a hardware hack but there’s no reason to hate. And if there is then maybe HAD should stop working on Mooltipass. Since that is combatting password insecurity which at its roots is mainly websites getting hacked. Some of them through SQL injection.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.