Hacker says security flaw let him access any Facebook profile

The social network recently fixed a bug discovered by a developer who demonstrated how the loophole let him take over other people's accounts.

Donna Tam Staff Writer / News
Donna Tam covers Amazon and other fun stuff for CNET News. She is a San Francisco native who enjoys feasting, merrymaking, checking her Gmail and reading her Kindle.
Donna Tam
2 min read

A security hacker recently found a flaw in a Facebook system that allowed developers to access anyone's Facebook account through app permissions.

Though Facebook has fixed this issue, Nir Goldshlager, a Web application security specialist who looks for these types of flaws professionally, found more app authorization bugs that need fixing, according to his blog. App permissions are what developers use to access the user data needed to run their apps. Users give them access permission when they install the apps.

"I found a couple more OAuth flaws in Facebook, just waiting for a fix to post about it," Goldshlager wrote in his blog, where he detailed his findings.

Facebook wouldn't comment on what other flaws Goldshlager may have found but did say the original bug he detected had not been taken advantage of by actual Facebook developers. The company didn't say when Goldshlager reported the flaw.

"We applaud the security researcher who brought this issue to our attention and for responsibly reporting the bug to our White Hat Program. We worked with the team to make sure we understood the full scope of the vulnerability, which allowed us to fix it without any evidence that this bug was exploited in the wild," a Facebook representative wrote in an e-mail to CNET. "Due to the responsible reporting of this issue to Facebook, we have no evidence that users were impacted by this bug. We have provided a bounty to the researcher to thank them for their contribution to Facebook Security."

The bug Goldschlager found allowed him to steal access tokens and gain full access to a profile as a developer. This included messages, pages management, ad management, private photos, and videos. This applied to profiles that didn't install extra apps because he could go through Facebook's built-in apps, like messenger, as well. The tokens for third-party apps didn't expire unless the victim changed his or her password, but the messenger app tokens for Facebook messenger never expired, he wrote.