A developer found a way to access any and all Facebook accounts. He reported this to Facebook, which responded by fixing the problem.Developer Nir Goldshlager found a flaw in Facebook’s code that allowed him to take full control over any Facebook account.
“By exploiting this flaw I could steal unique access tokens that provides me full control over any Facebook account,” Goldshlager writes in a blog post.
He says the flaw gave full permission allowing access to the messages inbox, outbox, page management, ad management, and private photos and videos.
Goldshlager said that the flaw even allowed access to accounts that are protected with 2-step verification.
Fortunately, Goldshlager reported the broken code to Facebook, which has now fixed the problem.
A Facebook PR rep told us:
We applaud the security researcher who brought this issue to our attention and for responsibly reporting the bug to our White Hat Program. We worked with the team to make sure we understood the full scope of the vulnerability, which allowed us to fix it without any evidence that this bug was exploited in the wild. Due to the responsible reporting of this issue to Facebook, we have no evidence that users were impacted by this bug. We have provided a bounty to the researcher to thank them for their contribution to Facebook Security.
He even gives step by step instructions of how he made the exploit work.
just to clarify there is no need for any installed apps on the victim’s account, Even if the victim never allowed any application in his Facebook account, I could still be getting full permissions (This bug works on any browser)
To make this exploit work, The victim only need to visit a webpage,
So OAuth is used by Facebook to communicate between Applications and Facebook users, Usually users must allow/accept the application request to access their account before the communication can start.
Any Facebook application might ask for different permissions.
This part gets complicated but it has something to do with the domain of the app and Facebook OAuth, which is what Facebook uses for authorization.
Goldshalger played around with the URL and found that his trick worked on Facebook's mobile browser site.
The rest gets even more complicated but the exploit revolves around Facebook's built-in Applications. There are a few apps where users never need to allow access. These apps have a full control of your account.
Business Insider Emails & Alerts
Site highlights each day to your inbox.