Researchers at Cyberoam Threat Research Labs (CTRL) have discovered a critical vulnerability in Facebook's OAuth process.
Cyberoam reported the flaw to Facebook, and it has subsequently been fixed.
Much like a cross-site request forgery (CSRF) attack, an attacker leveraging this method can generate a malicious link and host it on a Facebook post, through an e-mail message or via an IM share.
A CSRF attack is a malicious exploit that essentially forces a user to execute unwanted actions on a Web application in which they are authenticated at the time.
Bhadresh Patel, lead vulnerability researcher at CTRL, says as the first step in exploiting this vulnerability, the hacker circumvents the URL validation process in Facebook's OAuth dialogue for authorising a malicious app into the "Apps you use" section of the target victim's Facebook account. This gives the attacker the ability to generate valid access tokens for the malicious app.
"Essentially, by luring a victim into clicking on a tempting link or news or story, a malicious code hidden in the Web page would be instantly executed, and the victim would have no idea his Facebook account had been hijacked."
The attacker effectively gains access with all permissions to anything the user could have granted for an app. "This includes stealing personal information from the compromised Facebook account, and gaining the ability to read users' inboxes, outboxes, manipulate pages, ads, view and tag private photos with 'full permission' to target Facebook accounts," he explains.
Attackers up their game
Patel says, over the years, Cyberoam has seen attack methods evolving in sophistication. Social engineering, the art of luring people into chasing/clicking nasty malware/virus payloads, has become exceedingly successful due to the growing popularity of social media, smart devices and anywhere connectivity.
"We recommend that users of social media exercise caution while opening a suspicious link, an image or a video on social media. If they can't resist temptation and still wish to follow such links, it is wise to open such links in a different browser. Changing passwords on a regular basis is indeed a good practice."
He adds a caveat: "Such attacks tend to camouflage malicious links with familiar looking URLs or tempting visuals. Moreover, these attacks are so deft that even after opening a malicious link, the victim will see no anomaly, as the attacks leave no clue or hint while stealing account credentials in a clean sweep."
Earlier this year, ITWeb reported CTRL had uncovered a similar flaw in Facebook's access token authorisation mechanism that could trigger various malicious attacks on victim users.
However, Patel describes this latest exploit as a "more astute" attack method.
"What makes the attack more lethal is the fact that it doesn't require any pre-installed app in the victim user's Facebook account."
Share