The vulnerability exists in the “Login with Facebook” option that eventually lets hackers make a phony website which they used for exchanging Access Tokens for other applications that include Spotify, Netflix, Instagram, Tinder, Oculus, etc besides the hijacked FB profiles. Once the hacker succeeded in hijacking the targeted FB accounts using the Access Tokens, he had access to personal data that includes private messages, photos, videos, and also the account setup credentials.
According to Amol Baikar, an Indian cybersecurity expert who found this vulnerability in the first place, the FB flaw allows hackers to exploit user accounts that include Tinder, FB, Oculus, Spotify, Instagram, Netflix, etc. Meanwhile, along with this account hijack, the hacker can also get 3rd party access to the mentioned apps via “Login with Facebook option.” Facebook first received this vulnerability in December 2019 and immediately issued a security fix. Along with this, the company Facebook also announced a $55,000 bounty upon finding the person responsible through the Bug Bounty Program. This is said to be the biggest bounty ever issued for a client suite hack vulnerability founded on Facebook.
Cybersecurity organization GBHackers have made the following observations regarding Facebook vulnerability:
- All Fb apps and 3rd party apps login credentials (Access Token) could be exposed within a few seconds, at the same time.
- The vulnerability allows the hacker to take over the Facebook account of the user. Moreover, the hacker can read, write, edit, and delete your data.
- The hacker also has the option to modify your privacy settings in the FB account.
- If a user visits the malicious website set up by the hackers, he/she can lose their 1st party Access Tokens.
- The stolen 1st party Access Tokens never lapse.
- The attacker has control over the hijacked Facebook account even after the user changes the login credentials.
Advertise on IT Security News.
Read the complete article: A vulnerability that Allows Hackers to Hijack Facebook Accounts