Facebook vulnerability exposes accounts to hijack
Spam attacks steal access tokens, give full account access, says security firm Cyberoam
A global security hardware vendor today claimed it had unearthed a critical hole in the authorisation layer of Facebook Inc's social network.
The report comes within a day of Facebook chief operating officer Sheryl Sandberg’s statement to Reuters that the world’s largest social media company was at its strongest since its troubled IPO a year ago.
"When I look back at the last year since we went public, I believe we are unequivocally a much stronger company today than we were on literally any metric I can think of," Sandberg said at the Reuters Global Technology Summit yesterday.
US-based Cyberoam Technologies reported that its Threat Research Labs (CTRL) had uncovered the flaw in Facebook's access token authorisation mechanism while investigating a spam campaign. The spam inquiry involved a video link called "lady with razor-sharp axe". A brief description of the video promises a hilarious spectacle, but once clicked, the user's credentials in the form of an access token are stolen, to be used for generating others that allow attackers to circumvent the authentication process.
Such access allows the spammer to take control of Facebook accounts and perform "nearly every task which a Facebook user can do", according to Cyberoam.
"Ongoing Facebook spams such as ‘lady with razor-sharp axe' tend to store stolen Facebook access tokens on their servers for further attacks or exploits," said Bhadresh Patel, lead vulnerability researcher at CTRL.
"This attack is not limited only to tagging or uploading of photos. Upon clicking the link, Facebook users are unwittingly handing over complete access to their Facebook account, which remains available to attackers even after an affected user logs out from their Facebook account."
Cyberoam said Facebook has been informed of the vulnerability. Facebook could not be reached for comment.
CTRL suggested a number of strategies to guard against the vulnerability. Firstly, do not click the link. If a user has already clicked the link, then they should change their Facebook password, which will invalidate any access tokens stolen at the time the malicious link was clicked.
CTRL also urged Facebook users to turn off "Apps you use" from the App Settings in their Facebook account to ensure that access tokens will not be granted to third-party processes.