Vulnerability in Facebook's OAuth allowed hacker full profile access

Feb 26, 2013 by Bob Yirka weblog
Vulnerability in Facebook’s OAuth allowed hacker full profile access Enlarge
Credit: nirgoldshlager.com

(Phys.org)—Nir Goldshlager writer of a security blog, is reporting that he found a vulnerability in Facebook's OAuth that allowed him full access to an individual's profile information. Facebook confirmed the vulnerability and has subsequently fixed the problem, but questions still linger about how safe user data is from developers who possess expert knowledge of the social giant's inner workings.

As most Facebook users know, if they wish to add an app to Facebook, they must first click an "accept" button when presented with one from the app asking for permission. It allows the app to access private profile information, which is necessary for the app to run. What Goldshlager found was a hole in this process—known as OAuth to developers—that allowed him to gain access to (in and outbox, ads pages, photo's etc.) without their permission.

The OAuth service is run by sending a URL—Goldshlager modified the URL in a way that allowed him to send a user to a page he had created himself where an access token would be stored, bypassing the instigation of the popup that would ask the user for access permission. Using this method, he was able to give himself permission to access a particular user's account profile information without the user being aware of what had occurred. There are two important things to note here: first, there is no evidence that any hackers knew of the vulnerability and used it to gain access to a user's information, and second, that the vulnerability works only on a single user account.

Because the vulnerability only works on one account at a time, it means a would not have been able to use it to create a program to steal account information from groups of users—it would have had to have been a personal attack, i.e. a single hacker trying to crack a single account. For that reason, Goldshlager and Facebook are reasonably sure that no one ever took advantage of the . Only those who develop applications might have ever stumbled across it, and had they, the monetary reward offered by Facebook via its White Hat program (which Goldshlager says he received for his efforts) would in most instances outweigh any other alternative actions they might be considering.

Goldshlager also reports that he's found other authorization bugs with , though he didn't go into detail on them. But his findings have created an air of uneasiness surrounding the degree of access developers gain with user accounts and what bugs might exist in the services they use that might allow a less honest hacker to gain personal data and use it for nefarious purposes.

Explore further: Security researcher finds SMS vulnerability in social media sites

add to favorites email to friend print save as pdf podcast

Related Stories

Facebook fixes photo privacy bug

Dec 07, 2011

Facebook has fixed a bug that allowed the viewing of some private photographs of other members and which was reportedly used to access personal pictures of founder Mark Zuckerberg.

Facebook leaked keys to account data: Symantec

May 11, 2011

US computer security firm Symantec has said that Facebook accidentally left a door open for advertisers to access profiles, pictures, chat and other private data at the social network.

Recommended for you

Seniors are attractive targets for online fraud

2 hours ago

Victims of online fraud need greater support to help them overcome the often serious health effects that follow discovery of the deception, QUT cybersecurity researcher Cassandra Cross says.

Internet in 'coma' as Iran election looms

May 19, 2013

Iran is tightening control of the Internet ahead of next month's presidential election, mindful of violent street protests that social networkers inspired last time around over claims of fraud, users and ...

Bernanke forecasts gains from computer technology

May 18, 2013

(AP)—Federal Reserve Chairman Ben Bernanke says pessimists who are forecasting that the economy will not reap sizable benefits from the computer revolution are likely to be proven wrong.

Yahoo Japan suspects 22 million IDs stolen

May 18, 2013

Yahoo Japan Corp. has said it suspects up to 22 million user IDs may have been stolen during an unauthorised attempt to access the administrative system of its Yahoo! Japan portal.

User comments : 0

More news stories

Patented system better secures digitally stored data

(Phys.org) —Arizona State University computer scientist Gail-Joon Ahn has been granted a U.S. patent for a novel identity management system that helps protect personal identity information stored on digital devices.

Apple's Cook to face Senate questions on taxes

A Senate panel says Apple Inc. is avoiding paying billions of dollars in U.S. taxes, but the world's most valuable company says it is complying with the laws and pays "an extraordinary amount" in taxes to the U.S. govern ...

Sprint to listen to Dish offer

(AP)—Wireless company Sprint Nextel Corp. says it can now let Dish Network Corp. see its books and talk with Dish to see whether its competing offer to buy Sprint is better than its current deal with Japan's SoftBank.

Making quantum encryption practical

One of the many promising applications of quantum mechanics in the information sciences is quantum key distribution (QKD), in which the counterintuitive behavior of quantum particles guarantees that no one can eavesdrop on ...

Evaluating a new way to open clogged arteries

Over the past few decades, scientists have developed many devices that can reopen clogged arteries, including angioplasty balloons and metallic stents. While generally effective, each of these treatments ...