Another Close Call For Facebook; Security Team Closes Loophole Reported By Developer

By David Cohen 

Facebook averted another close call on the security front, as the Facebook Security team was able to close a loophole, reported by developer Nir Goldshlager, which would have enabled hackers to gain full control over any Facebook accounts.

Goldshlager detailed in a blog post how he experimented with adding different coding and characters to Facebook URLs and was able to create an application that disguised itself as another app that does not require users to accept it, Facebook Messenger, and gain access to users’ Facebook data:

To carry out a successful attack, the victim needs to use a Facebook application (Texas Holdem Poker, Diamond Dash, etc..), and these applications only have basic permissions. We can always change the scope of the application permission and set a new permission, but this method is not powerful, because the victim needs to accept the new permissions of the app.

I wanted something more powerful — something that will give me full permissions (read inbox, outbox, manage pages, manage ads, access to private photos, videos, etc.) on the victim’s account without any installed application on the victim and make Facebook do the Goldshake ;). So I started thinking: How this can be done?

What if I use a different app_id?? The app_id of Facebook Messenger for example: Does the user need to accept the Facebook Messenger app in his Facebook account? The answer is no. There are built-in apps in Facebook that users never need to accept, and these apps have full control of their accounts.

Also, I found that this access_token never expired in Facebook Messenger — only after the victim changes his password, then the access_token will expire, but why the hell would the user change the password?

Fortunately, Goldshlager reported the loophole he found to Facebook, which was able to correct the situation. A Facebook spokesperson told Business Insider:

We applaud the security researcher who brought this issue to our attention and for responsibly reporting the bug to our white hat program. We worked with the team to make sure we understood the full scope of the vulnerability, which allowed us to fix it without any evidence that this bug was exploited in the wild. Due to the responsible reporting of this issue to Facebook, we have no evidence that users were impacted by this bug. We have provided a bounty to the researcher to thank him for his contribution to Facebook Security.

Readers: Are you concerned that Facebook has been such a huge target of late, reassured by the social network’s efforts on the security front, or both?

Image courtesy of Shutterstock.