Hacking any Facebook account; zero-day vulnerability found

Social media security flaws can have disastrous consequences for individuals due to their massive use and the amount of sensitive information circulating on these platforms. Amol Baikar, researcher specializing in vulnerability testing has reported the finding of a zero-day vulnerability in a Facebook login feature that should be considered highly serious for users. 

The vulnerability is related to the “Login with Facebook” feature is based on the Open Authorization 2.0 (OAuth 2.0) authorization protocol to exchange tokens between the official social network site and third-party sites. If exploited, the flaw would allow a threat actor to take control of the OAuth flow and extract the access token, compromising users’ accounts.

The Facebook’s Software Development Kit (SDK) for JavaScript uses the endpoint “/connect/ping” to generate an access token and redirect a configured URL to “XD_Arbiter”, which is whitelisted by all applications by default. Behind the scenes, the Initialization SDK creates an iframe proxy for cross-domain communication. The proxy framework returns the unauthorized token, code, or unknown state through the postMessage() API. 

While the endpoint was adequately protected against other known security flaws, the vulnerability testing specialist decided to try other ways to modify the authentication flow and steal the target user’s access token. 

Fragment of the proof of concept presented by the researcher

 Token interception completes by adding a new phone number to sign up for the target account. Successful exploiting of this vulnerability gives threat actors full write and read privileges, including messages, photos, and videos, as long as the privacy controls of the target account have not been customized. 

The vulnerability testing expert reported the flaw to Facebook through the social network rewards program, which recognized the report and implemented a correction as soon as possible. According to the International Institute of Cyber Security (IICS), Baikar would have received a reward of up to $50k USD, the highest amount Facebook has given to a client-side vulnerability report.