Facebook had another close brush with security. The Facebook Security team patched a security flaw, reported by security researcher, that could allow attackers to gain full control of any Facebook account.
Nir Goldshlager, a web application security expert, disclosed that he found a bug in Facebook’s OAuth system, a protocol used by Facebook to communicate between apps and users. And by accessing this loophole, one can steal unique access tokens that provide full control over any Facebook account.
He also noted that a user did not have to have any app installed. Visiting a webpage on the user’s part was enough. The bug works on any browser.
He says that by tinkering with the URL of the OAuth, users’ can be made to land on external website that can “record” their unique authentication token.
Inserting the URL to a built-in Facebook app such as Facebook Messenger Goldshlager was able to gain automatic access to all accounts and permission.
According to him, the best part of the attack is that the stolen access tokens work until users change their passwords… which in the case of most users could mean never.
Fortunately for us all, he reported the bug to Facebook, which have been taken care of by the Facebook Security Team.
A Facebook spokesperson told Business Insider:
We applaud the security researcher who brought this issue to our attention and for responsibly reporting the bug to our white hat program. We worked with the team to make sure we understood the full scope of the vulnerability, which allowed us to fix it without any evidence that this bug was exploited in the wild. Due to the responsible reporting of this issue to Facebook, we have no evidence that users were impacted by this bug. We have provided a bounty to the researcher to thank him for his contribution to Facebook Security.
Goldshlager details his experimentation on his blog www.nirgoldshlager.com.