Crisis Averted: Researcher Thwarts Dangerous Facebook Attack


A researcher who has been hunting down authentication vulnerabilities has discovered a serious issue with Skype and Dropbox that, if kept open, could have given attackers a way to take complete control of potentially thousands of Facebook user accounts.

Nir Goldshlager of Herzliya, Israel-based security research firm Break Security, discovered an open redirect vulnerability, which provides a way to bypass the validation process used by websites to authenticate the visitor's identity. Goldschlager found both Skype and Dropbox failing to validate redirects, giving attackers a way to steal the permission tokens used by partner sites to validate their identity, according to Goldschlage,r who outlined the attack with TechCrunch Wednesday.

An attacker would need the victim's Facebook ID and would then use a method to redirect victims to a malicious site to steal their authentication token. The cybercriminal would need to use the Graph API Explorer, a tool provided to developers to write third-party apps that can interact with Facebook. The tool ensures valid third-party apps are formatted properly to obtain a user's access token and permissions to obtain a user's data. He demonstrated the attack in a proof-of-concept video posted this week on Vimeo.

[Related: 6 Signs You've Been Sucked Into A Facebook Scam]

Goldshlager, who didn't respond to a request by CRN for comment in time for this story, has found a slew of Facebook vulnerabilities in the past several years. He is listed on Facebook's white hat hacker page for properly disclosing bugs to the social network. The flaws he has found range from simple cross-site scripting (XSS) errors, which are common in Web applications, to serious authentication errors connected to OAuth, an open protocol used by a variety of websites to authorize users to use Web, mobile and desktop applications.

The security researcher discovered a serious Facebook vulnerability in February, which enabled a hacker to get full permissions to a user account by exploiting Facebook's OAuth authentication implementation. The attack crafted by Goldshlager provided an attacker with an access token that never expires unless the victim changes his or her password. The vulnerability was promptly fixed by Facebook.

Facebook is constantly battling cybercriminals attempting to exploit the users of its network. Symantec warned of a quickly spreading a href="http://www.crn.com/news/security/240151212/facebook-black-scam-spreading...">Facebook scam last month that lured users into visiting a website by masquerading as a service that could change their Facebook page colors. The Experience Facebook Black attack was quickly contained by the social network, which uses technology to detect suspicious user activity and a security team to investigate issues that have been flagged.

Malicious third-party apps, spam and other scams persist on Facebook but have declined in recent years due to the attention given to eradicating issues quickly, Catalin Cosoi, head of the online threats lab at Bitdefender, told CRN. Cosoi said attackers can turn to other methods to steal user account credentials, peddle spam or use stolen data to conduct more serious attacks on corporate networks.

"I think there has been a lot of data-collecting being done on individuals," Cosoi said. "It's very likely that the more sophisticated attackers will use the publicly available data on social networks and blogs to create more dangerous attacks."

PUBLISHED APRIL 4, 2013