A critical vulnerability was recently found in Facebook that could allow an attacker to hijack, and take control over, accounts on the social network.
No, not the one that required the attacker to just send a single SMS text message. This is a *different* vulnerability that can lead to a complete Facebook account takeover.
This latest security hole was discovered by vulnerability researcher Dan Melamed.
Melamed discovered that a security weakness existed in Facebook’s handling of accounts which have multiple email addresses associated with them.
In short, Melamed found a way of tricking Facebook into accepting an additional email address for logging into an account, without the owner of the account receiving any warning. All the victim has to do is click on a link sent to them by the attacker.
A successful attack could lead to a malicious hacker reading private messages, posting updates and private messages in the victim’s name, and taking complete control of the account.
To exploit the vulnerability, here is what was needed:
1) A Facebook account (lets call her Sharon Alisonwitz) set up by the attacker. Sharon’s account already has an email address (lets say it is email@example.com) associated with it.
2) A second Facebook account (lets call her Karen Thurnson) set up by the attacker, who will try to claim ownership of the email address.
3) A victim on Facebook (lets call her Maria Smithstein).
Here’s how it works.
The Karen account, set up by the hacker, tries to associate the email address firstname.lastname@example.org (currently associated with Sharon’s Facebook account) with their own account. When Karen tries to add the email, she is given the option to claim it.
As part of the claim process, Melamed found users are taken to a link that appears like this:
The appdata[fbid] parameter in the link is an encrypted email address. In this case, email@example.com.
The link then redirects user to the sign-in page for Hotmail.
You must sign in with the email address that matches the encrypted parameter.
Finally, you are taken to a link that looks like this:
Looking at the webpage’s source code, Melamed determined that this was where the claim process was deemed to have succeeded, and yet there was no check made that the person arriving at the page was the same person who had made the initial request to add an email address.
In our example, if Maria could be duped into visiting the URL then the attacker would now be able to access Maria’s account using the firstname.lastname@example.org login details.
One way to do this would be to create a malicious webpage which has invisibly embedded the final link inside an iFrame.
Because the victim receives no notification whatsoever that an email address has been added to their account, they would be oblivious to the attack, and be unaware that visiting a webpage has compromised their Facebook account.
The only necessity is for the victim (Maria in the example given above) to be logged into Facebook at the time that their computer visits the link.
Dan Melamed says that the link does not expire for approximately three hours, giving plenty of time for abuse. He has made a video demonstrating how the attack works. I recommend watching the video fullscreen in HD to get the most out of it, and note that there is no soundtrack.
The good news is that Dan Melamed acted responsibly, and disclosed details of the security hole to Facebook, rather than publish information about the vulnerability on the net where it could have been exploited by cybercriminals. Facebook’s security team appears to have responded rapidly, and fixed the flaw.
Melamed was awarded $1500 by Facebook’s bug bounty initiative for responsibly disclosing the vulnerability to the social network.
If you are on Facebook, and want to be kept updated with news about security and privacy risks, and tips on how to protect yourself online, join the Graham Cluley Security News Facebook page.