ocial media supersite Facebook has fixed a vulnerability that could have allowed a hacker to access a user’s account simply by getting them to click through to a specially crafted website. The flaw essentially mimicked the functionality of an authentic Facebook application without actually installing an application to their profile.
The vulnerability, which exploits Facebook’s OAuth authentication dialog, was detailed by security researcher Nir Goldshlager in a blog post last week. The flaw reportedly gave Goldshlager “full permission” access to users’ accounts, allowing him the ability to read users’ inboxes, outboxes, manage pages, ads and view private photos. While apps normally only ask for permission to post statuses on users’ walls, Goldshlager found a way for his app to “steal unique access tokens” to give him control over any Facebook account.
Goldshlager modified the URL string Facebook’s OAuth service usually uses when users agree to install an application. In doing so, he could send users to his own site, trigger an access token he stored there and eliminate the authentication pop up that users would usually have to agree to before giving an app access to their accounts. From there, an attacker would be in – basically granting themselves access to the account.
Goldshlager was able to fuzz characters in the URL string to allow the exploit on different browsers. After that he could redirect the victim to any file in any Facebook subdomain, including a fake application he created to send that “unique access token” from his site to the infected Facebook account.
There are some limitations to Goldshlager’s technique though – since it’s more of a personal attack, only one account can be targeted at a time and the exploit can fail to work in the off chance that a user changes their password.
According to the Wall Street Journal, Facebook immediately patched the flaw, insisting it had “no evidence that users were impacted by this bug.”
In accordance with Facebook’s White Hat program, Goldshlager was awarded an undisclosed amount of money and his name, along with other researchers who responsibly disclose vulnerabilities to Facebook, is the latest to appear on its White Hat Thanks page.