also @ TechSpot: Metro: Last Light Performance, Benchmarked

Researcher finds flaw that grants access to any Facebook account

By

On February 25, 2013, 4:00 PM With Video

A security expert recently outlined steps on his blog that allowed him to gain unprecedented access to anyone’s Facebook account. Nir Goldshlager said a flaw in Facebook’s OAuth service, which is used to by developers to solicit permission from users to access data when using an app, granted full access to every Facebook account.

If you use Facebook, you’re already familiar with the OAuth service – it’s that small “allow” button you have to click to give a developer access to certain data. But by modifying the OAuth URL, Goldshlager was able to access the inbox, outbox, photos, videos and more of anyone he wanted.

Typically a person would still have to click the “allow” button but by going through Facebook’s messaging app, he was able to circumvent this step that worked on all browsers. The flaw would work until a user changed their password, he said, because the token had no expiration date.

Instead of exploiting the bug for his own personal gain, Goldshlager worked with Facebook’s White Hat Program to get the vulnerability patched. The White Hat Program rewards security researchers that bring vulnerabilities to the social network’s attention.

A spokesperson for Facebook said that due to the responsible reporting of the issue, there is no evidence that users were impacted by the bug. Facebook further said they provided a bounty to the researcher as thanks for their contribution although they didn’t disclose the amount of the reward.

, , , , ,

4 comments

User Comments: 4

Got something to say? Post a comment
  1. February 25, 2013 5:11 PM
    spydercanopus
    spydercanopus said:

    A billion users private conversations and photos open to the public... it could have changed the world!

    Reply
  2. February 25, 2013 5:13 PM
    Guest said:

    Privat on internet? Nothing is privat on internet!

    Reply
  3. February 25, 2013 7:25 PM
    SNGX1275
    SNGX1275, TS Special Forces, said:

    Nice to see a story about someone using their powers for good.

    Also, dude's name reminded me of this: [link]

    Reply
  4. February 26, 2013 1:35 AM
    tipstir
    tipstir, TS Ambassador, said:

    I got rid of my master account on FB don't need that on there. Use another account with less info on. What makes matter worst is the want cell phone and credit cards info. Never going to happen with me. Your suppose to log in using https:// not http://.

    Reply

Recently commented stories

Post a new comment

Social Login & Guest Posting TechSpot Members
Login here or sign up for free,
it takes about a minute.
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.
TechSpot on:

Most Popular

Trending Featured
More Trending Topics

Featured on Cases

Downloads and Drivers

Downloads   Drivers  

1by1 1.79

MKVToolNix 6.2.0

WinDirStat 1.1.2

SketchUp 13.0.3689

MessageMe for Android 1.0.11

More Downloads

Latest Discussion

Monitor - No display when i put my HD6670 into motherboard 5 replies on Audio and Video

How did my Windows key become disabled? 15 replies on Other Hardware

Screen saver stop working after installing Norton 12 replies on Software Apps

Need advice on router-buy 5 replies on Storage and Networking

Windows load screen at boot, looong black screen, then normal startup 61 replies on Windows OS

More Recent Discussion

Subscribe to TechSpot

Get free exclusive content, learn about new features and breaking tech news.