Nir Goldshlager runs a “Web Application Security Blog.” He’s also happened to find a variety of security holes and exploits on sites like Facebook, Twitter and PayPal. His latest discovery, however, was a glaring hole in Facebook’s OAuth system: Nir was able to find a flaw that gave him access to everyone’s entire Facebook account — without having to install anything, or even click the “allow” button for apps.
I found a way in to get full permissions (read inbox, outbox, manage pages, manage ads, read private photos, videos, etc.) over the victim account even without any installed apps on the victim account…
Here’s the video that Nir posted on his blog, detailing his method:
Don’t bother trying this yourself though, as Facebook has already fixed it. But it doesn’t change the fact that there are such serious flaws in a site where more than a billion people have information stored. And what if Nir didn’t discover this and post it for everyone to see?