Last week, a hacker revealed a Facebook flaw that would have allowed him access to anyone’s (yes, any and all) Facebook profile.

Before mass panic ensues, Facebook has already fixed the problem, but it’s worth pointing out just what left the information of social media site’s slightly more than 1 billion users vulnerable.

Nir Goldshlager on his Web Application Security Blog wrote that exploiting the flaw he found would allow him to “take a full control over any Facebook account.”

“To make this exploit work, the victim only need to visit a webpage,” Goldshlager continued.

As Mashable explained the hacker went through the service OAuth, which Facebook developers use to obtain permission from users to allow their apps to run, and manipulated it to give him full access to accounts.

That’s inbox, outbox, pages, ads, photos, videos and any other type of information could have been available. Only if the person he attacked changed their password would his hack be inactivated.

Goldshlager gave this URL as an example of the OAuth dialog:

https://www.facebook.com/dialog/oauth/?app_id=YOUR_APP_ID&next=YOUR_REDIRECT_URL&state=YOUR_STATE_VALUE&scope=COMMA_SEPARATED_LIST_OF_PERMISSION_NAMES

Here’s what he tested out next:

I started to think of my options, what if i can redirect the application OAuth Request to a different ‘NEXT’ URL?? First i tried to change the ‘next’ parameter to a different domain and they block my action,

Then  i tried to change the next parameter to facebook.com domain, and got blocked again with general error message, I found that if you use a sub-domain for example: xxx.facebook.com, Facebook will allow this action,
But if you try to access folders / files in x.facebook.com (x.facebook.com/xx/x.php), Facebook block you,
So i notice that facebook.com use a Hash sign and ! in there URL (x.facebook.com/#!/xxxx),
I tried to perform this action in the next parameter (next=x.facebook.com/%23!/), And Facebook blocked me again!,

Then i tried to put “something” between the hash sign and the ! (%23x!), And Facebook didn’t block this action,

With that, he wrote that he would be able to redirect the compromised account to any files within any of Facebook’s subdomains, including one that might redirect to a malicious website.

Still, the above mechanism would still require the user to click allow. Taking it a step further, Goldshlager inputted the app_id of Facebook Messenger, for which the user doesn’t need to allow any permissions.

Because this app is built into Facebook, users don’t have to accept anything and it provides the hacker will full access to accounts.

Here he shows how it was done:

As we stated before, Facebook has already fixed this flaw. The Daily Dot reported a Facebook spokesperson saying Goldshlager brought the problem to their attention.

“We worked with Mr Goldshlager to make sure we understood the full scope of the vulnerability, which allowed us to fix it without any evidence that this bug was exploited in the wild,” Facebook’s spokesperson said according to the Daily Dot. “Due to the responsible reporting of this issue to Facebook, we have no evidence that users were impacted by this bug. We have provided a bounty to the researcher to thank them for their contribution to Facebook Security.”

Read more details about the method that could have been previously used to hack accounts here.