Hackers Could Have Accessed Anyone’s Facebook Profile Thanks to Flaw
Last week, a hacker revealed a Facebook flaw that would have allowed him access to anyone’s (yes, any and all) Facebook profile.
Before mass panic ensues, Facebook has already fixed the problem, but it’s worth pointing out just what left the information of social media site’s slightly more than 1 billion users vulnerable.
Nir Goldshlager on his Web Application Security Blog wrote that exploiting the flaw he found would allow him to “take a full control over any Facebook account.”
“To make this exploit work, the victim only need to visit a webpage,” Goldshlager continued.
As Mashable explained the hacker went through the service OAuth, which Facebook developers use to obtain permission from users to allow their apps to run, and manipulated it to give him full access to accounts.
That’s inbox, outbox, pages, ads, photos, videos and any other type of information could have been available. Only if the person he attacked changed their password would his hack be inactivated.
Goldshlager gave this URL as an example of the OAuth dialog:
Here’s what he tested out next:
I started to think of my options, what if i can redirect the application OAuth Request to a different ‘NEXT’ URL?? First i tried to change the ‘next’ parameter to a different domain and they block my action,
Then i tried to change the next parameter to facebook.com domain, and got blocked again with general error message, I found that if you use a sub-domain for example: xxx.facebook.com, Facebook will allow this action,But if you try to access folders / files in x.facebook.com (x.facebook.com/xx/x.php), Facebook block you,So i notice that facebook.com use a Hash sign and ! in there URL (x.facebook.com/#!/xxxx),I tried to perform this action in the next parameter (next=x.facebook.com/%23!/), And Facebook blocked me again!,Then i tried to put “something” between the hash sign and the ! (%23x!), And Facebook didn’t block this action,
With that, he wrote that he would be able to redirect the compromised account to any files within any of Facebook’s subdomains, including one that might redirect to a malicious website.
Still, the above mechanism would still require the user to click allow. Taking it a step further, Goldshlager inputted the app_id of Facebook Messenger, for which the user doesn’t need to allow any permissions.
Because this app is built into Facebook, users don’t have to accept anything and it provides the hacker will full access to accounts.
Here he shows how it was done:
As we stated before, Facebook has already fixed this flaw. The Daily Dot reported a Facebook spokesperson saying Goldshlager brought the problem to their attention.
“We worked with Mr Goldshlager to make sure we understood the full scope of the vulnerability, which allowed us to fix it without any evidence that this bug was exploited in the wild,” Facebook’s spokesperson said according to the Daily Dot. “Due to the responsible reporting of this issue to Facebook, we have no evidence that users were impacted by this bug. We have provided a bounty to the researcher to thank them for their contribution to Facebook Security.”
Read more details about the method that could have been previously used to hack accounts here.
In CONTROL, Glenn Beck presents a passionate, fact-based case for guns that reveals why gun control isn’t really about controlling guns at all; it’s about controlling us. Find out more HERE.
Comments (18)
Sign In To Post Comments! Sign In
Popular Stories
‘Bigoted, Religious [Zealots]‘: High School Senior Allegedly Expelled, Charged With Felonies Over Gay Relationship With ‘Consenting’ Fellow Student 804 Comments
White House: ‘Irrelevant Fact’ Where Obama Was During Benghazi 348 Comments
CNN Poll: Obama’s Approval Rating Unchanged Since Scandals Hit 240 Comments
Washington Times Writer: Fox News Scandal Goes ‘Much Deeper,’ W.H. Sitting on Something Top Obama Aides ‘Terrified’ About 237 Comments
Report: Obama Administration Apologizes for Another National Security Leak 214 Comments
Faith
-
University Will Investigate Christian Professor’s Intelligent Design Class Following Atheist Furor
135 Comments
-
‘Bigoted, Religious [Zealots]‘: High School Senior Allegedly Expelled, Charged With Felonies Over Gay Relationship With ‘Consenting’ Fellow Student
804 Comments
-
Israeli Motorists Shocked When Nazi Flag Seen Flying Near Palestinian Mosque
Read More
- Did Christian Prayers at Gov’t Meetings in This NY Town Violate the Constitution? 169 Comments
-
John Kerry Reportedly Had a Breakfast Meeting With Father of Gaza Flotilla ‘Martyr’ Last Week — and There’s Apparently Picture Evidence
139 Comments
Business
-
Sebelius’ Controversial Fundraising Efforts Raise Concerns, Allegedly Chase Away Potential Donors
Read More
-
See All the Viral Backlash Abercrombie & Fitch Has Received for Its CEO’s Comments From Years Ago That Resurfaced Again
Read More
-
Is This the ‘Smoking Gun’ That Ties the IRS Scandal to the White House?
178 Comments
-
Monday Morning Market Roundup: Not Off to Such a Great Start
Read More
-
Yahoo Just Bought This Social Networking Site for $1.1B
Read More
Technology
-
This Teen’s Invention Means You Could Charge Your Cellphone in Less Than 30 Seconds
Read More
-
One of the Most Unlikely Animals Being Trained to Hunt Land Mines
Read More
-
Woman Who Lost All Limbs to Flesh-Eating Bacteria Gets $200K Bionic Arms
Read More
-
Why Are These Zoo Keepers Baffled by This Anteater’s Babies?
Read More
-
Largest Lunar Explosion in NASA History Caught on Video
139 Comments
The Blog
Who Has More Viewers…President Obama’s Weekly Address Or The Daily Blazecast?- Most people don’t think the DOJ was trying to bully the media by secretly taking reporters’ phone records
Greta Van Susteren says DOJ ‘lucky’ they didn’t hack her emails- Media Matters has no idea what to do with itself right now
Caption that photo!: the winner
Submitting your tip... please wait!
worldhack
Posted on April 7, 2013 at 9:01amAre you looking for hacker for emails, facebook etc to get password? I am an experienced hacker. can hack emails address e.g Hotmail, Yahoo, AOL, GMail, Facebook, any website and more other stuff like change school grades, change information on any website , etc contact us on email for more details,
email is worldhack4@gmail.com
Report this comment
lgccac
Posted on February 26, 2013 at 8:56amUse common sense. Don’t put anything on Facebook that you don’t want the world to see or know about. It is NOT private.
Report this comment
Ar-shooter
Posted on February 27, 2013 at 12:57amNo….real common sense is not having a facepalm page in the fist place……idiots !
Report this comment
G-WHIZ
Posted on February 27, 2013 at 10:53amOwner/O’berrilover installed this esspecially for MuslimBrotherhood and Annoinimouse!!
Report this comment
justasurvivor
Posted on February 26, 2013 at 8:01amIf they hack into my FB account, they are DONE FOR!!! Because they’ll, literally, be bored to death.
Report this comment
stumpy68
Posted on February 26, 2013 at 10:11amIhope they enjoy the pics from my last moose hunt
Report this comment
jackact
Posted on February 26, 2013 at 8:01amWhen are people going to WAKE UP and realize that the FACEBOOK social network has become a MASSIVE societal problem?
Report this comment
SpankDaMonkey
Posted on February 26, 2013 at 7:12am.
I cant think of one good reason why anyone would want to takeover a Facebook page….
What they gonna do? Steal one of your 1,254,719 friends……
Report this comment
HOOT_OWL
Posted on February 26, 2013 at 6:06amhttp://www.iegallery.com/en-us/trackingprotectionlists
Report this comment
betterpart
Posted on February 26, 2013 at 3:11amFacebook has become no more than a glorified craigslist, complete with street pimps, prostitutes, table pimps, chicken hawks and the rest of society’s bottom-feeders. Why anyone would want to hack into an account there is beyond me.
Report this comment
tonypro
Posted on February 26, 2013 at 4:12amRight, and why anyone would want to post there life in a public forum is also beyond me.
Report this comment
DEFCON4
Posted on February 26, 2013 at 2:42am“Farce-Book”….so.. it’s just a “Box of Rain”
‘We all know, who put it there ?
Believe, it if you ‘need it’, or leave IT if, ‘you dare’….
Report this comment
Oknowwhat
Posted on February 26, 2013 at 2:02amWhat do they do with hacked Facebook profiles? Random posting? No one I know has correct DOB info, employer etc. i have 0 info on my profile. I guess there are some who really do list their personal info there. ?
Report this comment
tonypro
Posted on February 26, 2013 at 1:05amWell I guess it’s a good thing I don’t do facebook. It’s an information collection site, and no more. People have lost jobs, mates, money, etc. all over the ability to foolishly project their lives to an unknown public realm, where parasites, and evil people prey on the weak.
I’ve sadly enough seen family members in my family no doubt actually use face book to communicate to each other, when they are both in the house at the same time. I mean how much effort does it take to get up, and walk into the next room.
Report this comment
VoteRightDammit
Posted on February 26, 2013 at 12:32amOhhhhhhhh
Mmmmmmmmmmmm
Geeeeeeeeee
They may have taken over my Facebook account ???????/
I may DIE !!!!!!!!!!!!!!!!!!!!!!!!!!!
Now, back to my nap.
Report this comment
Exrepublisheep
Posted on February 26, 2013 at 12:44amlol
Report this comment
SingerGuy
Posted on February 26, 2013 at 12:11amWell of course they’re going to say, “we have no evidence that users were impacted by this bug.” Do we expect them to reveal that thousands of accounts were compromised? They wouldn’t admit that unless there was a smoking “projectile device” and their feet were being held to the fire. Mustn’t upset the sheeple by breaking their illusion of security and privacy.
Report this comment
paying-for-freedom
Posted on February 26, 2013 at 1:59amDoesn’t seem like it really matters if someone hacks facebook or not. Facebook freely give all your information, messages and posts to the government anyways.
Report this comment