Bitdefender has discovered a significant vulnerability within Facebook which allowed access to any user account through simple social login manipulation. The attacker was able to gain access to personal user information, a contacts list for potential malware distribution and payment information – allowing purchases to be made in the user’s name.
The attack vector in this case – social logins – are an alternative to traditional authentication. This form of access offers users a convenient way to sign in to their web accounts without entering their username and password, with a majority of websites offering social login through Facebook, LinkedIn, Twitter or Google+. Bitdefender researchers identified a method to steal a user’s identity and access their account using Facebook’s Login plugin.
Ionut Cernica, Vulnerability Researcher at Bitdefender and the researcher behind the discovery of the flaw, states, “This is a serious vulnerability – it allows attackers to log in on most websites that feature Facebook Login. This means an attacker can make payments on the user’s behalf on an e-commerce site, for instance.”
Details of the discovery
The Bitdefender researcher successfully bypassed the confirmation step typically required when registering a new Facebook email address. He created a Facebook account utilising the user’s email address, and during the registration process, swapped the email address for one under his control.
For the attack to succeed, the email address of the user must not be registered on Facebook. As most internet users have more than one e-mail address published online, this information presented little challenge for the attacker to identify and leverage in order to gain access to a user’s Facebook account.
To verify the identity of a user without exposing their credentials, Login with Facebook uses the OAuth protocol, through which Facebook is authorised to share some user information with third-party websites. When the Bitdefender researcher attempted to sign in via the “Facebook Login” button on a separate site, he was asked to confirm his own email address, and not that of the user. Under ‘account settings’ in Facebook, the user’s address was the primary contact, even though the researcher had only confirmed his personal account.
Ionut Cernica adds, “I used Facebook Login again and decided to switch the primary contact from the user’s address to mine, then switch them again to change the user account to the primary. This is an important step in reproducing the issue.”
Facebook fixed the vulnerability after notification from the Bitdefender security team.