Vulnerability in OAuth Protocol Allows Hacking Any Facebook Account

The vulnerability is contained in the Facebook login feature, which uses the OAuth 2.0 authorization protocol.

Security researcher Amol Baikar discovered a critical vulnerability in the Facebook social network OAuth authorization protocol. The vulnerability has existed for about 10 years, and its exploitation allows attackers hacking into any Facebook account.

The problem is contained in the “Login with Facebook” function, which uses the OAuth 2.0 authorization protocol for exchanging tokens between the social network and other websites.

“I decided to analyze why I always feel insecure while using the “Login with Facebook” feature, since they used multiple redirect URLs. However, finding a vulnerability in Facebook even having the most talented security researchers, was not an easy task. That was a very tough and challenging to find a bug in Facebook OAuth”, — writes Amol Baikar.

A remote culprit can set up a malicious website to intercept OAuth traffic and steal authorization tokens that provide access to the accounts of targeted Facebook users.

After successfully exploiting the vulnerability, an attacker can send messages, publish something in the feed, modify account information, delete messages, and much more on behalf of the victim.

“Login with Facebook” feature follows the OAuth 2.0 Authorization Protocol to exchange the tokens between facebook.com and third-party website. The flaw could allow an attackers to hijack the OAuth flow and steal the access tokens which they could use to take over user accounts. Malicious websites can steal access_token for the most common apps at the same time and could gain access to multiple services, third-party websites. Such as Instagram, Oculus, Netflix, Tinder, Spotify, etc.”, — explained Amol Baikar.

Facebook users are advised to change the password for the account on the social network and log out of accounts on all devices.

Baikar told Facebook about the discovered vulnerability, and the company paid the researcher a reward of $55 thousand.

At the same time, as I wrote, Facebook has been turning a blind eye to the fact that in its other product – whatsapp, search engines index private secret groups.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

Leave a comment

Your email address will not be published. Required fields are marked *