Facebook system flaw gave a hacker access to every single person’s entire account


Nir Goldshlager runs a “Web Application Security Blog.” He’s also happened to find a variety of security holes and exploits on sites like Facebook, Twitter and PayPal. His latest discovery, however, was a glaring hole in Facebook’s OAuth system: Nir was able to find a flaw that gave him access to everyone’s entire Facebook account — without having to install anything, or even click the “allow” button for apps.

I found a way in to get full permissions (read inbox, outbox, manage pages, manage ads, read private photos, videos, etc.) over the victim account even without any installed apps on the victim account…

Here’s the video that Nir posted on his blog, detailing his method:

Don’t bother trying this yourself though, as Facebook has already fixed it. But it doesn’t change the fact that there are such serious flaws in a site where more than a billion people have information stored. And what if Nir didn’t discover this and post it for everyone to see?

[via Nir Goldshlager, Gizmodo]

Related Posts

  • J.L.

    [@mukhi] People forgets encryption as usual. I’m not talking about https, but something like your own AES password.

  • Nancy

    Yup! Had someone to hack mine, and had to totally redo! Looks like these bored bums would get their a$$ out and get a job!

  • mukhi

    [@Shava Nerad] good comments, and i do agree 100% with your last line…

  • Shava Nerad

    The real question is not what if Nir didn’t, but how many people discovered it and exploited it quietly before Nir put on his white hat and opened it up to public view?

    That’s how these things work generally. A lot of questionably motivated people discover the flaw and play their own games with it as they will. Eventually some white hat hacker notifies the site that they have a major security flaw, and they are in deep crap.

    Then, the typical response, believe it or not, is that the site sends them legal threats that they could be jailed for wire fraud (millions of dollars and decades of jail time) if they publish their results. So they need to bury their results and never publish them. Essentially, it turns security researchers into blackmailers whether they want to be or not — unless they call the companies’ bluffs and publish anyway, because people need to know their data has been compromised.

    Some gray hat folks make a very tidy living finding vulnerabilities and living off the ransoms from zero-day vulnerabilities, though, that the big companies will pay to keep out of the news like this. And it sucks, because you have no idea how many of these you never hear about.

    Personally, I would NEVER put any of my data I cared about in the cloud. Just sayin’….