Facebook’s security system is not yet full-blown, as one hacker would attest to one of its flaws.
Security blogger Nir Goldshlager said he found a vulnerability in Facebook’s OAuth that gave him full access to a user’s profile information.
OAuth is an open standard for secure authorization from desktop, mobile, and web applications. With it, users can authorize an app to act on their behalf without sharing their password.
Goldshlager wrote on his blog the full the details on how he hacked Facebook OAuth to gain full access on a user’s profile.
He said Facebook confirmed and immediately fixed the vulnerability after he brought it to their attention.
But how safe is user data from expert developers who know the social network’s inner works?
Facebook users who have added an app on their accounts know that the first step is to click “Accept,” giving the app permission to access their profile data.
Goldshlager saw a flaw in OAuth that gave him full access – but without permission – to view private photos and videos, read inbox and outbox messages, manage pages and ads, and more.
OAuth normally sends a URL to a page that triggers the popup for secure authorization, but Goldshlager modified the URL to send the user to a page he created. The page stores an access token that bypasses the code for the popup notification to appear.
The technique gave him permission to access the profile information of a user who was completely unaware of what had happened.
Goldshlager noted that other hackers neither knew of the vulnerability nor gained access to a user’s profile information, and that the exposure only works on one user account.
Due to its limited scope, the vulnerability could have only allowed hackers to steal user data from a single user, and it’s unlikely they created a program to target one account.
An attack that used this vulnerability would have been a personal attack, so Facebook and Goldshlager are certain that hackers brushed it aside.
Only expert app developers are likely to have come across the vulnerability, and they wouldn’t have settled for less than the rewards of Facebook’s White Hat program.
Facebook is offering large cash prizes for bug hunters, and Goldshlager said he received a certain amount for his efforts to reveal this flaw.
He also found many other app authorization bugs in Facebook but did not provide further details about them.
Regardless of Facebook’s fixing of the vulnerability, Goldshlager’s findings have built an air of discomfort about the level of access that developers gain on user accounts.
Good hackers (white hat) want to help, bad hackers (black hat) work for personal gain.
Update: Nir Goldshlager was able to access the victim’s account without any installed apps. He said the bug worked on any web browser.