Connect with us

Hi, what are you looking for?

Hard News Hard Hitting News Source Global Political News

Cyber Security

Facebook account takeover: Researcher scoops $40k bug bounty for chained exploit

Meta has fixed a series of bugs that could have allowed a malicious actor to take over a user’s Facebook account, paying their finder a $44,625 bug bounty.

Security researcher Youssef Sammouda was able to hijack the accounts of Facebook users who signed up using a Gmail account and use a Gmail OAuth id_token/code to log in to the site.

And, he tells The Daily Swig, the same technique could have been used any other account: “Due to the complexity of developing such an exploit to do exactly that, I only submitted the exploit for the scenario that resulted in taking over Facebook accounts that authenticated with Google,” he says.

Chained exploit

The Facebook exploit leveraged a series of vulnerabilities, including a Logout CSRF bug allowing an attacker to force a victim to log out from their Facebook account in their browser and a Login CSRF bug allowing login to the attacker’s Facebook account inside the victim’s browser.

Meanwhile, a vulnerability in Facebook’s Checkpoint tool in allowed leaking any visited URL under Facebook.com to the Sandbox Domain; and, finally, an XSS vulnerability in the Facebook Sandbox Domain allowed the attacker to execute Javascript code in the context of the Sandbox Domain.

Chaining these allowed Sammouda to take over the accounts.

“We log out the user from their Facebook account, we force the login to the attacker’s Facebook account,” he explained

“At this point, the attacker’s Facebook account is stuck at the Checkpoint tool; we redirect to Google OAuth which eventually redirects us to Facebook.com with a special token and code.

The researcher added: “Facebook.com leaks the token and code to the sandbox domain and we finally exploit the XSS bug to steal the token and code from the sandbox domain.”

Coordinated disclosure

Sammouda says the reporting process was efficient and straightforward: he reported the bugs to Meta on February 16, with the company fixing the issues on March 21. He received his payout on May 14.

This isn’t Sammouda’s first bumper bounty. Indeed, he’s reported a dozen Facebook bugs with similar payouts before.

Last year, for example, he made $126,000 for discovering a set of three flaws in Facebook’s Canvas technology, with follow-up work netting him $98,000 earlier this year.

This latest payout, he says, “reflects the severity of the bug, and also how much Meta cares about the security of users accounts”.

We’ve invited Facebook to comment and will update if we hear anything further.

Full technical details can be found in Sammouda’s latest blog post.

Advertisement. Scroll to continue reading.

Source: https://portswigger.net/daily-swig/facebook-account-takeover-researcher-scoops-40k-bug-bounty-for-chained-exploit

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

Belgium became a haven for ethical hackers following the adoption of a nationwide safe harbor agreement last month. The framework means that well-intentioned security researchers are free...

Cyber Security

Twitter faced further criticism this week when Elon Musk’s social networking platform announced SMS-based 2FA will only be available to paying customers going forward....

Cyber Security

ANALYSIS Weaknesses in the existing CVSS scoring system have been highlighted through new research, with existing metrics deemed responsible for “overhyping” some vulnerabilities. So-called “overinflated” ratings...

Cyber Security

Apache has resolved a vulnerability potentially exploitable to launch remote code execution (RCE) attacks using Kafka Connect. Announced on February 8, the critical vulnerability...

Copyright © 2023 Hard News Herd Hitting in Your Face News Source | World News | Breaking News | US News | Political News Website by Top Search SEO