Recently, Facebook faced two serious security threats discovered through their bug bounty program including a data leak that potentially impacted over one million users.
After being exposed in the Cambridge Analytica Scandal, the company enhanced their bug bounty protocol by adding a statute to protect the user’s data from misuse by the developers. Known as the Data Abuse Bounty, the program received a report from Nightwatch Security researcher Yaakov Shafranovich stating the details of the third-party application using the data of users in an insecure manner.
The details of the security flaw were disclosed to the public this week whereas the bug was first discovered in September 2018.
The Android app responsible for malicious acts is available on the Google Play Store and describes itself as an app that provides extra functionality to Facebook users. The app has been downloaded over one million times.
The number of affected users from the app is still unknown. However, experts claim that the app accesses data through the Facebook's API and copies the collected information to a Firebase database and API server that lacks proper authentication or HTTP protocols.
Facebook immediately removed the insecure software from its database. Unfortunately, the Android version of the same remains on Play Store.
The data leak was reported through the Facebook Data Abuse Bounty Program in September that has a policy of releasing payouts for valid reports. Although figures of the reimbursement have not been revealed, sources tell us that the payouts can be as much as $40,000.
Just last week, a bug hunter with the pseudonym Samm0uda revealed reports regarding a CSRF protection bypass vulnerability present in the main Facebook website. According to its report, the bug has the ability to send requests with CSRF tokens to arbitrary endpoints on Facebook that can result in a complete takeover of victim’s accounts.
All the attacker had to do was to trick the target into clicking the link. The vulnerable endpoint was facebook.com/comet/dialog_DONOTUSE/?url=XXXX, in which the XXXX stood for the area where POST request could be made.
A CSRF token, fb_dtsg, is automatically created within the request body and if the user visits the URL through the malicious app, the attacker could easily use the tokens to compromise their account.
Owing to the convenient location of the endpoint under the main domain of www.facebook.com, the attacker could easily trick the targets to visit the URL.
During the testing phase, the researcher observed that he could delete profile pictures, publish posts on timeline, and even delete complete social media account.
To fully hijack accounts, the target account would also have to add a new email address or phone number. However, this requires the victim to visit two separate URLs.
The bug bounty hunter managed to bypass these protections by finding endpoints that included the ‘next’ parameter in play so he or she could take over the complete account with a single click.
Samm0uda developed several externally hosted scripts that were able to pull user access tokens and bypass Facebook redirection process and change login credentials when the malicious app gained authority by the user.
Facebook has a strict account hijacking policy and condemns any such acts on its platform. The report of the security flaw was served to the tech giant on 26 January who immediately fixed the issue within five days. SammOuda was also appreciated for his efforts and received a bug bounty reward of $25,000.
Read Next: How Would a Dislike Button Impact Facebook?
Photo: Photothek via Getty Images
After being exposed in the Cambridge Analytica Scandal, the company enhanced their bug bounty protocol by adding a statute to protect the user’s data from misuse by the developers. Known as the Data Abuse Bounty, the program received a report from Nightwatch Security researcher Yaakov Shafranovich stating the details of the third-party application using the data of users in an insecure manner.
The details of the security flaw were disclosed to the public this week whereas the bug was first discovered in September 2018.
The Android app responsible for malicious acts is available on the Google Play Store and describes itself as an app that provides extra functionality to Facebook users. The app has been downloaded over one million times.
The number of affected users from the app is still unknown. However, experts claim that the app accesses data through the Facebook's API and copies the collected information to a Firebase database and API server that lacks proper authentication or HTTP protocols.
Facebook immediately removed the insecure software from its database. Unfortunately, the Android version of the same remains on Play Store.
The data leak was reported through the Facebook Data Abuse Bounty Program in September that has a policy of releasing payouts for valid reports. Although figures of the reimbursement have not been revealed, sources tell us that the payouts can be as much as $40,000.
Related: Is Facebook on its way to becoming Facemash 2.0?Besides this, Facebook has been subjected to other security issues in the past months as well.
Just last week, a bug hunter with the pseudonym Samm0uda revealed reports regarding a CSRF protection bypass vulnerability present in the main Facebook website. According to its report, the bug has the ability to send requests with CSRF tokens to arbitrary endpoints on Facebook that can result in a complete takeover of victim’s accounts.
All the attacker had to do was to trick the target into clicking the link. The vulnerable endpoint was facebook.com/comet/dialog_DONOTUSE/?url=XXXX, in which the XXXX stood for the area where POST request could be made.
A CSRF token, fb_dtsg, is automatically created within the request body and if the user visits the URL through the malicious app, the attacker could easily use the tokens to compromise their account.
Owing to the convenient location of the endpoint under the main domain of www.facebook.com, the attacker could easily trick the targets to visit the URL.
During the testing phase, the researcher observed that he could delete profile pictures, publish posts on timeline, and even delete complete social media account.
To fully hijack accounts, the target account would also have to add a new email address or phone number. However, this requires the victim to visit two separate URLs.
The bug bounty hunter managed to bypass these protections by finding endpoints that included the ‘next’ parameter in play so he or she could take over the complete account with a single click.
Samm0uda developed several externally hosted scripts that were able to pull user access tokens and bypass Facebook redirection process and change login credentials when the malicious app gained authority by the user.
Facebook has a strict account hijacking policy and condemns any such acts on its platform. The report of the security flaw was served to the tech giant on 26 January who immediately fixed the issue within five days. SammOuda was also appreciated for his efforts and received a bug bounty reward of $25,000.
Read Next: How Would a Dislike Button Impact Facebook?
Photo: Photothek via Getty Images