A hacker named ‘Nir Goldshlager’ has published how he managed to hack Facebook OAuth and as a result “could steal unique access tokens that provides me full control over any Facebook account”.
Facebook OAuth is used to communicate between applications and Facebook users.
OAuth is used to grant extra permissions to Facebook apps. In order for a Facebook app to have certain permissions, Facebook users have to ‘allow or accept’ the app’s request so that it can access your account information and gain the required permissions.
In his blog post, Nir Goldshlager explained that “just to clarify there is no need for any installed apps on the victim’s account, even if the victim never allowed any application in his Facebook account, I could still be getting full permissions (This bug works on any browser).
“To make this exploit work, The victim only need to visit a webpage,”
In the blog post the whitehat, or ‘ethical’, hacker, states he discovered a vulnerability in Facebook’s OAuth system and it allowed him to get full control over any Facebook account.
He further gives a step-by-step account of how he did it and adds a guide on understanding how Facebook’s OAuth works.