Facebook said to fix OAuth-based account hijacking flaw
The vulnerability could have allowed attackers to steal OAuth tokens and access Facebook account, a researcher says
IDG News Service - Facebook has patched a serious vulnerability that could have allowed attackers to easily gain access to private user account data and control accounts by tricking users into opening specifically crafted links, a Web application security researcher said late Thursday.
Nir Goldshlager, the researcher who claims to have found the flaw and reported it to Facebook, posted a detailed description and video demonstration of how the attack worked on his blog.
The vulnerability would have allowed a potential attacker to steal sensitive pieces of information known as OAuth access tokens. Facebook uses the OAuth protocol to give third-party applications access to user accounts after users approve them. Each application is assigned a unique access token for every user account.
Goldshlager found a vulnerability on Facebook's websites for mobile and touch-enabled devices that stemmed from improper sanitization of URL paths. This allowed him to craft URLs that could have been used to steal the access token for any application a user had installed on their profile.
While most applications on Facebook are third-party apps that users need to manually approve, there are a few built-in applications that are pre-approved. One such application is Facebook Messenger; its access token doesn't expire unless the user changes his password and it has extensive permissions to access account data.
Facebook Messenger can read, send, upload and manage messages, notifications, photos, emails, videos, and more. The URL manipulation vulnerability found on m.facebook.com and touch.facebook.com, could have been exploited to steal a user's access token for Facebook Messenger, which would have given the attacker full access the account, Goldshlager said.
The attack URL could have been shortened with one of the many URL shortener services and sent to users masquerading as a link to something else. The attack would also have worked on accounts that had Facebook's two-factor authentication enabled, Goldshlager said.
With the access token and the Facebook user ID, an attacker can extract information from the user account by using the Graph API Explorer, a tool for developers available on Facebook's site, Goldshlager said Friday via email.
According to Goldshlager, the Facebook Security Team fixed the vulnerability. "Facebook has a professional security team and they fix issues very fast," he said.
"We applaud the security researcher who brought this issue to our attention and for responsibly reporting the bug to our White Hat Program," a Facebook representative said Friday via email. "We worked with the team to make sure we understood the full scope of the vulnerability, which allowed us to fix it without any evidence that this bug was exploited in the wild. Due to the responsible reporting of this issue to Facebook, we have no evidence that users were impacted by this bug. We have provided a bounty to the researcher to thank them for their contribution to Facebook Security."
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The Threat Landscape Hardly a day goes by without the discovery of a new cyberthreat somewhere in the world! But how do you keep up with...
- Security for Virtualization In the rush to implement virtualization, security has become second. So while the business benefits are clear, the risks are less well documented...
Red Hat Enterprise Linux - The Original Cloud Operating System
Linux adoption is growing against a number of measures, such as the
number of supercomputers that run Linux and the size of the contributing...
- OpenStack Hype vs. Reality: CIO Quick Pulse Open-source architecture can enable IT departments to build infrastructure-as-a-service (IaaS) clouds running on standard hardware.
- Webinar: Building a Big Data solution that's production-ready Big data solutions are no longer just a nice-to-have.
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well... All Malware and Vulnerabilities White Papers | Webcasts