Researcher Rewarded with $55K by Facebook for finding a 10 year old bug that compromised Facebook users accounts
Two days ago while searching online, I stumbled across a research done by a security researcher named Amol Baikar that caught my attention. The research was about a 10-year old Facebook bug that could’ve been used by the hackers to purloin access token and take over the control of anyone’s Facebook account.
As soon as the report was sent to Facebook, the bug was verified and removed by their technical team and researcher Amol Baikar was rewarded with a hefty amount of $55000.
The fact that Facebook was unaware of such a serious glitch in their system for so long mind-boggled me.
So I decided to dig a bit deeper to get a complete understanding of the problem. After spending 22 hours on research, this is what I came up with on this topic.
The account high jacking vulnerability that was found by the researcher dwelled inside the authorization feature of Facebook i.e. Login with Facebook. Facebook uses OAuth 2.0 as the authorization protocol to exchange a token between itself and the third-party website.
This vulnerability could allow the hackers to steal the access token by taking over the OAuth flow as well as could help them in accessing the services and third-party websites like Instagram, Oculus, Netflix, to name a few.
As soon as the hacker thieves the access token, they could easily gain complete control of the victim’s account which means they had access to the photos, videos, and messages, no matter what the privacy control is set to by the user.
This bug was reported to Facebook in December 2019 and it’s been ironed out swiftly by Facebook. Amol Baikar was rewarded with 55000$ under a responsible disclosure bug bounty program which is the highest reward for a client site account takeover to date.
Below is the explanation of how hackers can steal Facebook users’ access token and take over their accounts.
The Access Token & Account Takeover
Two different points were identified in this vulnerability flow. These points are:
- “X-Frame-Options” header.
- “Window.parent” that saves the user interaction to zero.
The following cross-domain communication was exposed in results. Moreover, the Access_ Token could be leaked to any origin and the whole account can be compromised instantly.
var app_id = '124024574287414',
app_domain = 'www.instagram.com';
var exploit_url = 'https://www.facebook.com/connect/ping?client_id=' + app_id + '&redirect_uri=https%3A%2F%2Fstaticxx.facebook.com%2Fconnect%2Fxd_arbiter%2Fr%2F7SWBAvHenEn.js%3Fversion%3D44%23origin%3Dhttps%253A%252F%252F' + app_domain;
var i = document.createElement('iframe');
i.setAttribute('id', 'i');
i.setAttribute('style', 'display:none;');
i.setAttribute('src', exploit_url);
document.body.appendChild(i);
window.addEventListener('OAuth', function(FB) {
alert(FB.data.name);
}, !1);Credit Source: Amol Baikar
The vulnerability that leaks the 1st party graphql tokens also helps to query a mutation calls to add and confirm a new phone number for account recovery. These graphql tokens are whitelisted for GraphQL queries, and they do not need approval from any permission checks.
Unfortunately, all the Facebook apps and other third-party apps’ access points could be leaked at any time. Besides, the attackers can do anything they want with Facebook accounts as they can add phone email that they can use later on in the case of Forgot Password.
If users visit an attacker-controlled website, then attackers can take undue advantage from incorrect post message configuration and steal their first-party access tokens by using Facebook’s OAuth flow.
The first-party access tokens do not get expired and remain valid even if users change their Facebook account passwords. It means hackers can still control the users’ accounts and misuse their data deliberately.
Wrapping Up
As the bug resided in the “Login with Facebook” feature for almost a decade and was unnoticed, no one knows how many times cyber-goons used it to their advantage. So, it’s a humble request to all Facebook users to change their passwords and log out of all their devices as a safety measure as a wise old man once said: “precaution is better than cure”.
If you want to read about the best VPNs to use in different countries, you should read it here about good vpn for vietnam, good vpn for indonesia, good vpn for singapore, and more.
Since the vulnerability present within the “login with facebook” function for nearly 10 years, it’s uncertain that the bug is exploited or now not. So facebook users are advised to change the password and ensure to log off in all of the gadgets once.
Worth Reading this article!
Dear Noah Liam,
Thanks for providing your valuable feedback to us.
Yes, you are right as we mentioned in the blog that precaution is better than cure. You must log out of all your devices and change your Facebook accounts’ passwords at the earliest to remain safe from various privacy threats online.