Facebook Had a Vulnerability in the “Login with Facebook” Feature for Ten Years
A vulnerability that allowed to hack any account has been discovered on Facebook, a popular social network. Security researcher Amol Baikar announced it on his website.
"I decided to analyze why I always feel insecure while using the "Login with Facebook" feature. Since they used multiple redirect URLs. But finding a vulnerability in Facebook and also having the most talented security researchers, Seem It wasn't an easy task. That was a very tough and challenging to find a bug in Facebook OAuth."
According to the expert, this critical vulnerability is about ten years. An old problem lies in the “Login with Facebook” feature that uses the OAuth 2.0 authorization protocol. "Login with Facebook" is often used to exchange profile data between social networks and other websites. Thus, the account becomes universal and can be used on other services without additional registration.
As a result of Baikar's work, confirmation was received that a cybercriminal can remotely configure a malicious site to intercept traffic to steal authorization data. This way, hackers gain access to Facebook user accounts. After this, the attacker can send messages and make publications on behalf of the hacked user, as well as change his/her account information. Also, this opens up the possibility for hackers to try and get control over profiles on Instagram, Tinder, and other applications that work with a Facebook profile.
Baikar informed the company about the discovered vulnerability. Facebook confirmed that it existed and fixed it. The social network also paid the specialist a remuneration of $55,000.
In November 2019, it was reported that Facebook employees fixed the vulnerability in the WhatsApp messenger – there was a loophole that allowed attackers to hack users' devices and steal their data.