Next-level account takeover
A security researcher has disclosed a second tranche of bugs in Facebook Canvas that, like their predecessors, pose an account takeover risk.
Security researcher Youssef Sammouda earned $126,000 in bug bounties last year for discovering a set of three flaws in Facebook’s Canvas technology, which is used for embedding online games and interactive apps in its platform.
Sammouda detailed these issues in a technical blog post, published last September.
The security researcher recently decided to revisit the issue, leading to the discovery of a fresh set of problems in Facebook’s OAuth implementation.
Sammouda told The Daily Swig: “Meta failed to ensure either in the client-side or server-side applications that the game website would only be able to request an access_token for its application and not a first-party application like Instagram.”
The researcher continued: “It also failed to ensure that the generated Facebook API access_token would only reach the domains/websites that were added by the Facebook first-party application.”
Left unresolved, these problems would have allowed an attacker website to be able to steal a first-party access_token and take over a Facebook account and any other accounts linked to it, such as for Oculus or Instagram.
Facebook’s initial attempts at addressing the problem last year were found to be deficient. More specifically, Sammouda discovered three new flaws: a race conditions issue, bypasses to the previous fix, and an issue involving encrypted parameters.
Fortunately, in response to Sammouda’s criticisms Facebook has tightened up its controls and released a more comprehensive fix.
Sammouda explained: “This was resolved by Meta by making sure that parameters passed in the OAuth endpoint request from the game website were whitelisted and also by always enforcing the value of app_id and client_id parameters passed to be always the game application ID that’s making the request.”
A follow up technical blog post – published by Sammouda last week – explores the deficiencies of Facebook’s initial attempt at addressing the problem. Sammouda’s follow-up work earned him an additional $98,000 payday.
“Finally, Meta decided to apply the obvious fix and limit the control we have over the OAuth request. A whitelist of allowed parameters was added and the application would filter out any other parameters, of course with app_id and client_id always set to the current app_id,” Sammouda concluded.
The Daily Swig invited Facebook/Meta to comment on Sammouda’s latest findings. No word as yet but we’ll update this story as and when more information comes to hand.