Researcher Amol Baikar, who works in the field of information security, has published data on a ten-year-old vulnerability in the OAuth authorization protocol used by the social network Facebook. Exploitation of this vulnerability made it possible to hack Facebook accounts.
The mentioned problem concerns the “Login with Facebook” function, which allows you to log in to different web sites using your Facebook account. To exchange tokens between facebook.com and third-party resources, the OAuth 2.0 protocol is used, which has shortcomings that allowed attackers to intercept access tokens to hack user accounts. Using malicious websites, attackers could gain access not only to Facebook accounts, but also to accounts of other services that support the “Login with Facebook” function. Currently, a large number of web resources support this function. After gaining access to victims' accounts, attackers can send messages, edit account data, and perform other actions on behalf of the owners of the hacked accounts.
According to reports, the researcher notified Facebook about the discovered problem in December last year. The developers recognized the existence of the vulnerability and promptly fixed it. However, in January, Baykar found a workaround that allowed him to gain access to network user accounts. Facebook later fixed this vulnerability, and the researcher received a reward of $55.
Source: 3dnews.ru