Facebook plugs hole that allowed account hijacking - blayowle1987

Facebook has patched a serious vulnerability that could have allowed attackers to easily gain get at to private user account information and manipulate accounts by tricking users into starting specifically crafted links, a Vane application security investigator said late Thursday.

Nir Goldshlager, the researcher who claims to have found the flaw and reportable it to Facebook, posted a detailed description and video demonstration of how the tone-beginning worked on his blog.

The vulnerability would birth allowed a potential drop assaulter to steal feisty pieces of information known as OAuth access tokens. Facebook uses the OAuth communications protocol to give fractional-party applications access to user accounts after users approve them. Each application is assigned a unique access token for every drug user account.

Goldshlager found a vulnerability connected Facebook's websites for mobile and touch-enabled devices that stemmed from improper sanitization of URL paths. This allowed him to foxiness URLs that could have been in use to steal the access token for any application a exploiter had installed connected their visibility.

While most applications on Facebook are third-company apps that users need to manually approve, there are a few built-in applications that are pre-approved. One such application is Facebook Courier; its access nominal doesn't exhale unless the user changes his password and it has extensive permissions to access code account information.

Facebook Messenger give notice read, station, upload, and grapple messages, notifications, photos, emails, videos, and more. The URL use exposure found on m.facebook.com and touch.facebook.com, could have been exploited to steal a exploiter's access item for Facebook Courier, which would have given the attacker full approach the account, Goldshlager aforesaid.

Fingerlike away tease-Orion

The attack URL could have been shortened with one of the umpteen URL shortener services and sent to users masquerading as a link to something else. The assail would also make worked on accounts that had Facebook's two-factor hallmark enabled, Goldshlager same.

With the access token and the Facebook user ID, an attacker fundament extract entropy from the user business relationship by victimisation the Chart API Explorer, a tool for developers purchasable on Facebook's site, Goldshlager said Friday via email.

Reported to Goldshlager, the Facebook Security Team fixed the exposure. "Facebook has a occupation security squad and they fix issues very high-speed," he same.

"We applaud the security researcher who brought this write out to our attention and for responsibly reportage the bug to our White Hat Course of study," a Facebook representative said Friday via email. "We worked with the team to produce sure we understood the pregnant scope of the vulnerability, which allowed U.S. to fix it without any evidence that this bug was victimized in the wild. Due to the responsible reportage of this issue to Facebook, we sustain none evidence that users were impacted by this bug. We have provided a bounty to the researcher to thank them for their contribution to Facebook Security."

The researcher claims that he also found otherwise OAuth-related vulnerabilities that affect Facebook, but declined to reveal any entropy about them because they haven't been fixed yet.

Facebook runs a bug premium program finished which it pays monetary rewards to security researchers WHO find and responsibly report vulnerabilities affecting the site.

Goldshlager aforesaid on Twitter that he has not up to now been paid aside Facebook for reportage this vulnerability, but noted that his report included multiple vulnerabilities and that he will probably receive the reward after all of them get unchangeable.

Facebook pays security researchers very well for finding and reporting bugs, Goldshlager said via email. "I rump't state how much, but they pay to a greater extent then whatever past bug amplitude program that I experience."

Updated at 11:55 a.m. PT to include a comment from Facebook.