have allowed an attacker to hack your Facebook account without any
further interaction.
A security researcher discovered a critical cross-site request
forgery (CSRF) vulnerability in the most popular social media
platform that could have been allowed attackers to hijack Facebook
accounts by simply tricking the targeted users into clicking on a
link.
The researcher, who goes by the online alias “Samm0uda,”
discovered the vulnerability after he spotted a flawed endpoint
(facebook.com/comet/dialog_DONOTUSE/) that could have been
exploited to bypass CSRF protections and takeover victim’s
account.
“This is possible because of a vulnerable endpoint which takes
another given Facebook endpoint selected by the attacker along with
the parameters and makes a POST request to that endpoint after
adding the fb_dtsg parameter,” the researcher says on his blog.
“Also this endpoint is located under the main domain
www.facebook.com which makes it easier for the attacker to trick
his victims to visit the URL.”
specially crafted Facebook URL, as mentioned on his blog, designed
to perform various actions like posting anything on their timeline,
change or delete their profile picture, and even trick users into
deleting their entire Facebook accounts.
1-Click Exploit to Completely Take Over Facebook Accounts
Taking over full control of the victims’ accounts or tricking them
into deleting their entire Facebook account requires some extra
efforts from the attacker’s side, as victims need to enter their
password before the account is deleted.
To do this, the researcher said it would require the victims to
visit two separate URLs, one to add the email or phone number and
one to confirm it.
It’s “because the ‘normal‘ endpoints used to add emails
or phone numbers don’t have a ‘next‘ parameter to redirect
the user after a successful request,” the researcher says.
However, the researcher still made the full account takeover
possible with a single URL by finding the endpoints where the
‘next’ parameter is present and authorizing a malicious app on
behalf of the victims and obtaining their Facebook access token.
With access to the victims’ authentication tokens, the exploit
automatically adds an attacker-controlled email address to their
account, allowing the attacker to fully take over accounts by
simply resetting their passwords and locking the legitimate users
out of their Facebook accounts.
Though the full Facebook account takeover hack involved multiple
steps, the researcher said the complete one-click exploit would
have allowed any malicious user to hijack your Facebook account “in
the blink of an eye.”
Such account takeover attacks can be mitigated if you have
enabled two-factor authentication for your Facebook account,
preventing hackers from logging into your accounts until or unless
they verify the 6-digit passcode sent to your mobile device.
However, any mitigation could not prevent hackers from
performing some actions on your behalf leveraging this
vulnerability, like changing or deleting your profile pictures or
albums or posting anything on your timeline.
Samm0uda reported the vulnerability with the details of his
exploit to Facebook on January 26. The social media giant
acknowledged the issue and addressed it on January 31, rewarding
the researcher with $25,000 as part of Facebook’s bug bounty
program.
Read more http://feedproxy.google.com/~r/TheHackersNews/~3/7d95SovL-L0/hack-facebook-account-password.html