A security expert recently outlined steps on his blog that allowed him to gain unprecedented access to anyone’s Facebook account. Nir Goldshlager said a flaw in Facebook’s OAuth service, which is used to by developers to solicit permission from users to access data when using an app, granted full access to every Facebook account.
If you use Facebook, you’re already familiar with the OAuth service – it’s that small “allow” button you have to click to give a developer access to certain data. But by modifying the OAuth URL, Goldshlager was able to access the inbox, outbox, photos, videos and more of anyone he wanted.
Typically a person would still have to click the “allow” button but by going through Facebook’s messaging app, he was able to circumvent this step that worked on all browsers. The flaw would work until a user changed their password, he said, because the token had no expiration date.
Instead of exploiting the bug for his own personal gain, Goldshlager worked with Facebook’s White Hat Program to get the vulnerability patched. The White Hat Program rewards security researchers that bring vulnerabilities to the social network’s attention.
A spokesperson for Facebook said that due to the responsible reporting of the issue, there is no evidence that users were impacted by the bug. Facebook further said they provided a bounty to the researcher as thanks for their contribution although they didn’t disclose the amount of the reward.