SafeUM
Home Blog Services Download Help About Recharge

Axarhöfði 14, 110 Reykjavik, Iceland

Iceland - 2015
SafeUM
Blog
Services
Download
Help
About
Recharge
Menu
Archive
TOP Security!
27 Apr 2016

Facebook social login bug exposed account holders to potential ID theft

Facebook has updated its social login process — a form of authentication that allows users to sign in to third-party websites via their Facebook social accounts — after a security firm discovered a bug that could have enabled adversaries to steal their victims' online identities undetected.

According to a blog post today from Romania-based Bitdefender, a hacker looking to exploit the flaw would require a potential victim's email address — one that he or she had previously registered with any number of websites that require a user account — just as long as that same email address was not also registered with Facebook.

Of course, many users have multiple email accounts, not all of which are registered with Facebook, meaning it's certainly plausible for an email address to meet this criterion. Bitdefender vulnerability researcher Ionut Cernica figured out that if a hacker created a brand new, fraudulent Facebook account using a victim's stolen email address, the hacker could then immediately go into account settings and change that email address to his own personal email address—and Facebook would validate and accept both addresses, with the victim's stolen e-mail listed as the primary contact.

Simply by swapping in his own email as the primary contact, the hacker would then be able to use Facebook's social login technology to sign in as the victim on certain websites where the victim had previously registered the stolen email address. From there, the bad actor could perform any number of fraudulent acts using the victim's online identity, including purchasing items on e-commerce sites.

The Facebook-based login process uses the OAuth protocol as its open standard for account authorization. A source familiar with the vulnerability said if an individual had tried to exploit the flaw, it would not have worked on every website that enables Facebook login — only those whose OAuth-based process failed to properly merge victims' website accounts with their Facebook accounts. Furthermore, there so far are no reports of anyone actually leveraging this exploit successfully.

Alexandru Balan, chief security researcher at Bitdefender, said that OAuth security issues will surface from time to time. “On one hand you have isolated issues, which are quickly fixed, in the OAuth provider (Google, Facebook, Twitter, LinkedIn, etc.), with different outcomes — impersonation, for example, in our case,” said Balan, in an email.

“On the other hand, there's the more dangerous scenario where the service using OAuth gets hacked. Let's say, for instance, that you used Twitter to log on somewhere, and the permission [that is] granted, as is very often the case with Twitter, was ‘This app can post on my behalf.' If that app or website you logged on to gets hacked, the hackers will be able to post on your Twitter account,” Balan continued.

Balan himself acknowledged that the attack surface for this potential exploit “can be considered to be small, but with high impact” should an attacker have successfully hit on a vulnerable email address. “I think it's important to mention that all major service providers are very responsible for their security,” added Balan. “They are open to hearing from independent researchers and fix their stuff very quickly. But I would sincerely recommend that everyone, every now and then, check what apps are enabled in what platform and with what permissions — and what would happen if the provider of one of those apps got hacked.”

Tags:
Facebook information leaks
Source:
SC Magazine
1952
Other NEWS
3 Jul 2020 safeum news imgage An encrypted messaging service has been infiltrated by police
4 May 2020 safeum news imgage Two-Factor Authentication ​What Is It and Why You Should Use It
12 Dec 2019 safeum news imgage Encryption is under threat - this is how it affects you
4 Nov 2019 safeum news imgage Should Big Decisions Be Based on Data or Your Intuition?
7 Jun 2018 safeum news imgage VPNFilter malware infecting 500,000 devices is worse than we thought
4 Jun 2018 safeum news imgage Hackers target Booking.com in criminal bid to steal hundreds of thousands from customers
1 Jun 2018 safeum news imgage Operator of World's Top Internet Hub Sues German Spy Agency
30 May 2018 safeum news imgage US says North Korea behind malware attacks
29 May 2018 safeum news imgage Facebook and Google targeted as first GDPR complaints filed
25 May 2018 safeum news imgage A new reason to not buy these cheap Android devices
24 May 2018 safeum news imgage Flaws in smart pet devices, apps could come back to bite owners
23 May 2018 safeum news imgage Google sued for 'clandestine tracking' of 4.4m UK iPhone users' browsing data
21 May 2018 safeum news imgage LocationSmart reportedly leaked phone location data onto the web
18 May 2018 safeum news imgage The SEC created its own scammy ICO to teach investors a lesson
17 May 2018 safeum news imgage Thieves suck millions out of Mexican banks in transfer heist
All news
SafeUM
Confidential Terms of Use Our technologies Company
Follow us
Download
SafeUM © Safe Universal Messenger

Axarhöfði 14,
110 Reykjavik, Iceland

Iceland - 2015