Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Facebook Canvas. Show all posts

Fresh Flaws in Facebook Canvas Second Time

 

A team of cyber threat researchers at Facebook discovered the second tranche of bugs in Facebook Canvas that increase the risks of account takeover. 

Security researcher Youssef Sammouda published a detailed post last September wherein he said that he had made $126,000 in bug bounties last year for discovering a set of three flaws in Facebook’s Canvas technology, which provides services related to embedding online games and interactive apps on its platform. 

After the discovery of a new flaw in Facebook’s OAuth implementation the researchers' team has proclaimed that the team has decided to revisit the issue. 

Following the attack, Sammouda has reported in the public press that the “Meta failed to ensure either in the client-side or server-side applications that the game website would only be able to request an access_token for its application and not a first-party application like Instagram...” 

“…It also failed to ensure that the generated Facebook API access_token would only reach the domains/websites that were added by the Facebook first-party application,” the researcher added. 

These unsolved flaws can also allow threat actors to take control of the Facebook account and other accounts that are linked to it, such as Instagram or Oculus, etc. 

Reportedly, Facebook’s initial steps to patch the problem last year were found inadequate against the attack. Sammouda was able to come up with three new flaws: a race conditions issue, an issue involving encrypted parameters, and bypasses to the previous fix. But after Sammouda’s criticisms, Facebook had released a more comprehensive fix for the issues. 

“This was resolved by Meta by making sure that parameters passed in the OAuth endpoint request from the game website were whitelisted and also by always enforcing the value of app_id and client_id parameters passed to be always the game application ID that’s making the request,” Sammouda said. 

The account takeover attacks pose a significant risk to the organization because they provide hackers access to the systems like legitimate account owners. Once an attacker successfully gets access into a user’s account, they immediately move to consolidate that access and exploit it to cause harm to the organization.