Researcher finds flaw that grants access to any Facebook account

By on February 25, 2013, 4:00 PM

A security expert recently outlined steps on his blog that allowed him to gain unprecedented access to anyone’s Facebook account. Nir Goldshlager said a flaw in Facebook’s OAuth service, which is used to by developers to solicit permission from users to access data when using an app, granted full access to every Facebook account.

If you use Facebook, you’re already familiar with the OAuth service – it’s that small “allow” button you have to click to give a developer access to certain data. But by modifying the OAuth URL, Goldshlager was able to access the inbox, outbox, photos, videos and more of anyone he wanted.

Typically a person would still have to click the “allow” button but by going through Facebook’s messaging app, he was able to circumvent this step that worked on all browsers. The flaw would work until a user changed their password, he said, because the token had no expiration date.

Instead of exploiting the bug for his own personal gain, Goldshlager worked with Facebook’s White Hat Program to get the vulnerability patched. The White Hat Program rewards security researchers that bring vulnerabilities to the social network’s attention.

A spokesperson for Facebook said that due to the responsible reporting of the issue, there is no evidence that users were impacted by the bug. Facebook further said they provided a bounty to the researcher as thanks for their contribution although they didn’t disclose the amount of the reward.




User Comments: 4

Got something to say? Post a comment
1 person liked this | spydercanopus spydercanopus said:

A billion users private conversations and photos open to the public... it could have changed the world!

Guest said:

Privat on internet? Nothing is privat on internet!

SNGX1275 SNGX1275, TS Forces Special, said:

Nice to see a story about someone using their powers for good.

Also, dude's name reminded me of this: [link]

tipstir tipstir, TS Ambassador, said:

I got rid of my master account on FB don't need that on there. Use another account with less info on. What makes matter worst is the want cell phone and credit cards info. Never going to happen with me. Your suppose to log in using https:// not http://.

Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.