Renren Oauth 2.0 authorization can cause user access_token Leakage

Renren Oauth 2.0 authorization does not impose strict restrictions on the redirect_uri of third-party applications. If a third-party website has xss, it can induce users to disclose its access_token.
However, Renren's api interface has a sign verification, and it is difficult to use access_token.
Details: I just issued a ku6 xss vulnerability because it is used to test this vulnerability.
 
1. log onto Renren.
2. Access this address
Http://graph.renren.com/oauth/grant? Client_id = cd271e3051444285b8a18f1211a095cd & redirect_uri = http://zone.ku6.com/u/17958620&response_type=token
3. Jump to cool 6 address with xss
Http://zone.ku6.com/u/17958620
 
The Renren address in step 2 is used to authorize a third party. The response_type = token authorization request only needs to provide the client_id of the application and the redirect_uri address entered during the application, however, Renren does not strictly check redirect_uri. If the redirect_uri domain has an xss vulnerability, it can induce the user to authorize and hijack the user's access_token.

Proof of vulnerability:


The access result is as follows:
 

 
 
Solution:
 
Redirect_uri should be checked strictly as needed and should not be set to full trust for the entire domain.
 
Author PiaCa