Facebook authorisation flaw triggers attacks
While investigating ongoing Facebook spam, 'lady with razor-sharp axe', Cyberoam Threat Research Labs (CTRL) uncovered a critical flaw in the social network's access token authorisation mechanism.
The flaw opens the door to malfeasance, allowing attackers to perform a range of malicious activities such as upload photos and videos, post comments, pay with Facebook, publish content, send SMSes, read mail, tag friends' photos - pretty much every task a legitimate Facebook user can perform.
"Ongoing Facebook spams such as 'lady with razor-sharp axe' tend to store stolen Facebook access tokens on their servers for further attacks or exploits. This attack is not limited only to tagging or uploading of photos. Upon clicking the link, Facebook users are unwittingly handing over complete access to their Facebook accounts, which remains available to attackers even after an affected user logs out from the Facebook account," says Bhadresh Patel, lead vulnerability researcher at CTRL.
The CTRL says the vulnerability, which allows cyber attackers to bypass Facebook's access token authorisation mechanism, gives attackers the ability to generate unauthorised yet valid access tokens.
Facebook has been notified of the vulnerability, and more from CTRL "will be revealed upon suitable reciprocation or release of security patch from Facebook", says the company.
To avoid falling foul of this scam, CTRL suggests the following safeguard measures. Firstly, do not click this video / link. For those whom the warning comes too late, CTRL advises to immediately change their Facebook account passwords, as this would result in the expiry of old access tokens.
The company further advises users to turn-off "Apps you use" from App Settings in their Facebook accounts so that no app is able to gain access tokens to their accounts.