Facebook has patched OAuth bug found by researcher

A very serious vulnerability was recently discovered in Facebook’s OAuth system, which would allow hackers to gain full control over any compromised Facebook account and access private user data.

Nir Goldshlager claims to have found the vulnerability that is started by duping users into clicking malicious links. Goldshlager posted a detailed description along with video example of how the attack works on his blog post titled, “How I Hacked Facebook OAuth To Get Full Permission On Any Facebook Account (Without App ‘Allow’ Interaction).”

Facebook has now patched the vulnerability that would have allowed hackers to steal sensitive information from Facebook’s OAuth system. OAuth is designed to give third-party applications the ability to access users’ account info when approved. An “access token” is assigned to each application for each user.

However, Goldshlager found a way around the access tokens and confirmed that there was “no need for any installed apps on the victim’s account, Even if the victim never allowed any application in his Facebook account,” and could still access full permissions (i.e., “read inbox, outbox, manage pages, manage ads, read private photos, videos, etc.”).

The vulnerability stemmed from improper sanitization of URL paths, and allowed him to manipulate URLs that could be used to steal access tokens. Because there are certain applications, such as Facebook Messenger, that users don’t control whether access to information is granted or not, the attacker could get into anyone’s account through the URL manipulation.

“We applaud the security researcher who brought this issue to our attention and for responsibly reporting the bug to our White Hat Program,” a Facebook spokesperson emailed CSO Online today. “We worked with the team to make sure we understood the full scope of the vulnerability, which allowed us to fix it without any evidence that this bug was exploited in the wild. Due to the responsible reporting of this issue to Facebook, we have no evidence that users were impacted by this bug. We have provided a bounty to the researcher to thank them for their contribution to Facebook Security.”

Facebook has a very quick security team who has already patched the demonstrated vulnerability. Other bugs in the system that Goldshlager found have not been fixed yet, so he has not revealed any further details.

Goldshlager will be financially rewarded by Facebook through their bug bounty program to pay security researchers who find and report vulnerabilities. He yet doesn’t know the exact amount, but has said that he is not aware of a higher paying bug bounty program.

Making sure you have a highly skilled group of security leaders and team members, as well having regular vulnerability assessments performed by outside companies will ensure your system is secure. Tiro Security can supply your enterprise with either of those. Contact us to find more about our Executive Search options.

Posted in