Facebook said to fix OAuth-based account hijacking flaw

The vulnerability could have allowed attackers to steal OAuth tokens and access Facebook account, a researcher says

Facebook has patched a serious vulnerability that could have allowed attackers to easily gain access to private user account data and control accounts by tricking users into opening specifically crafted links, a Web application security researcher said late Thursday.

Nir Goldshlager, the researcher who claims to have found the flaw and reported it to Facebook, posted a detailed description and video demonstration of how the attack worked on his blog.

The vulnerability would have allowed a potential attacker to steal sensitive pieces of information known as OAuth access tokens. Facebook uses the OAuth protocol to give third-party applications access to user accounts after users approve them. Each application is assigned a unique access token for every user account.

Goldshlager found a vulnerability on Facebook's websites for mobile and touch-enabled devices that stemmed from improper sanitization of URL paths. This allowed him to craft URLs that could have been used to steal the access token for any application a user had installed on their profile.

While most applications on Facebook are third-party apps that users need to manually approve, there are a few built-in applications that are pre-approved. One such application is Facebook Messenger; its access token doesn't expire unless the user changes his password and it has extensive permissions to access account data.

Facebook Messenger can read, send, upload and manage messages, notifications, photos, emails, videos, and more. The URL manipulation vulnerability found on m.facebook.com and touch.facebook.com, could have been exploited to steal a user's access token for Facebook Messenger, which would have given the attacker full access the account, Goldshlager said.

The attack URL could have been shortened with one of the many URL shortener services and sent to users masquerading as a link to something else. The attack would also have worked on accounts that had Facebook's two-factor authentication enabled, Goldshlager said.

With the access token and the Facebook user ID, an attacker can extract information from the user account by using the Graph API Explorer, a tool for developers available on Facebook's site, Goldshlager said Friday via email.

According to Goldshlager, the Facebook Security Team fixed the vulnerability. "Facebook has a professional security team and they fix issues very fast," he said.

Facebook did not immediately respond to an inquiry sent Friday seeking information on whether the vulnerability had been exploited for malicious purposes before or after Goldshlager found it and reported it. The company lists Nir Goldshlager on their "Thank You" page for whitehat security researchers for 2013.

The researcher claims that he also found other OAuth-related vulnerabilities that affect Facebook, but declined to reveal any information about them because they haven't been fixed yet.

Facebook runs a bug bounty program through which it pays monetary rewards to security researchers who find and responsibly report vulnerabilities affecting the site.

Goldshlager said on Twitter that he has not yet been paid by Facebook for reporting this vulnerability, but noted that his report included multiple vulnerabilities and that he will probably receive the reward after all of them get fixed.

Facebook pays security researchers very well for finding and reporting bugs, Goldshlager said via email. "I can't say how much, but they pay more then any other bug bounty program that I know."

Join the PC World newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags patchesInternet-based applications and servicesonline safetysecuritysocial networkingExploits / vulnerabilitiesinternetprivacyFacebook

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Armand Abogado

HP OfficeJet 250 Mobile Printer

Wireless printing from my iPhone was also a handy feature, the whole experience was quick and seamless with no setup requirements - accessed through the default iOS printing menu options.

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?