Facebook social login bug, now fixed, exposed account holders to potential ID theft
A security researcher from Bitdefender discovered a bug in Facebook's third party social login process that could have allowed hackers to impersonate website account holders.
Facebook has updated its social login process — a form of authentication that allows users to sign in to third-party websites via their Facebook social accounts — after a security firm discovered a bug that could have enabled adversaries to steal their victims' online identities undetected.
According to a blog post today from Romania-based Bitdefender, a hacker looking to exploit the flaw would require a potential victim's email address — one that he or she had previously registered with any number of websites that require a user account — just as long as that same email address was not also registered with Facebook. (Of course, many users have multiple email accounts, not all of which are registered with Facebook, meaning it's certainly plausible for an email address to meet this criterion.)
Bitdefender vulnerability researcher Ionut Cernica figured out that if a hacker created a brand new, fraudulent Facebook account using a victim's stolen email address, the hacker could then immediately go into account settings and change that email address to his own personal email address—and Facebook would validate and accept both addresses, with the victim's stolen e-mail listed as the primary contact.
Simply by swapping in his own email as the primary contact, the hacker would then be able to use Facebook's social login technology to sign in as the victim on certain websites where the victim had previously registered the stolen email address. From there, the bad actor could perform any number of fraudulent acts using the victim's online identity, including purchasing items on e-commerce sites.
The Facebook-based login process uses the OAuth protocol as its open standard for account authorization. A source familiar with the vulnerability said if an individual had tried to exploit the flaw, it would not have worked on every website that enables Facebook login — only those whose OAuth-based process failed to properly merge victims' website accounts with their Facebook accounts. Furthermore, there so far are no reports of anyone actually leveraging this exploit successfully.
Alexandru Balan, chief security researcher at Bitdefender, said that OAuth security issues will surface from time to time. “On one hand you have isolated issues, which are quickly fixed, in the OAuth provider (Google, Facebook, Twitter, LinkedIn, etc.), with different outcomes — impersonation, for example, in our case,” said Balan, in an email interview with SCMagazine.com.
“On the other hand, there's the more dangerous scenario where the service using OAuth gets hacked. Let's say, for instance, that you used Twitter to log on somewhere, and the permission [that is] granted, as is very often the case with Twitter, was ‘This app can post on my behalf.' If that app or website you logged on to gets hacked, the hackers will be able to post on your Twitter account,” Balan continued.
Facebook issued the following statement to SCMagazine.com: "This bug was difficult to exploit at a large scale and didn't involve compromising Facebook accounts or company networks. However, we appreciate Ionut's coordination with our bug bounty team to quickly resolve this issue."
Balan himself acknowledged that the attack surface for this potential exploit “can be considered to be small, but with high impact” should an attacker have successfully hit on a vulnerable email address.
“I think it's important to mention that all major service providers are very responsible with their security,” added Balan. “They are open to hearing from independent researchers and fix their stuff very quickly. But I would sincerely recommend that everyone, every now and then, check what apps are enabled in what platform and with what permissions — and what would happen if the provider of one of those apps got hacked.”