Man-in-the-Middle Attack on Facebook User Access_Token - BestCyberNews: Online News Presenter in the present world

BestCyberNews: Online News Presenter in the present world

Start knowing

test banner


Man-in-the-Middle Attack on Facebook User Access_Token

According to security researcher Ahmed Elsobky, as a user "access token" is granted to the Facebook application, when the user authorizes it, it provides temporary and secure access to Facebook APIs.

It is possible, users have to 'allow or accept' the application request so that an app can access your account information with the required permissions.

The Access Token stores information about permissions that have been granted as well as information about when the token will expire and which app generated it. 

Approved Facebook apps can publish or delete content on your behalf using the access tokens, rather than your Facebook password.

Facebook will accept the HTTP link at the redirect_uri parameter so a GET request would be sent and the user will get a 302 redirect to that HTTP URL with the access_token value of the application with all of its permissions.

As an example: If the user has authorized Facebook Graph APIs Explorer app,which is an official app of Facebook and used by many developers. Then an attacker can get its access_token via a link.
Facebook allows the HTTP version of the Canvas URL to be used even if the app already has an HTTPS URI and also Facebook allows the request without any special tokens so anyone can make a request.

Access tokens are pretty sensitive, because anyone who knows the access token of a user can access the user's data and can perform any actions on behalf of the user, till the token is valid.

access token is enough to allow a hacker to do all that the app authorized to do. The vulnerability is not new, it has already been known for a year, but Facebook is still vulnerable to hackers and surveillance specialized agencies like the NSA.

First of all this vulnerability isn't patched and I think that it won't get patched, this has been reported since 5/9/2013 but Facebook Security team can't solve this to an acceptable level till now.

Author Venkatesh Yalagandula Follow us Google + and Facebook and Twitter

No comments:

Post a Comment