Meta has fixed a series of bugs that could have allowed a malicious actor to take over a user’s Facebook account, paying their finder a $44,625 bug bounty.
Security researcher Youssef Sammouda was able to hijack the accounts of Facebook users who signed up using a Gmail account and use a Gmail OAuth id_token/code to log in to the site.
And, he tells The Daily Swig, the same technique could have been used any other account: “Due to the complexity of developing such an exploit to do exactly that, I only submitted the exploit for the scenario that resulted in taking over Facebook accounts that authenticated with Google,” he says.
Chained exploit
The Facebook exploit leveraged a series of vulnerabilities, including a Logout CSRF bug allowing an attacker to force a victim to log out from their Facebook account in their browser and a Login CSRF bug allowing login to the attacker’s Facebook account inside the victim’s browser.
Meanwhile, a vulnerability in Facebook’s Checkpoint tool in allowed leaking any visited URL under Facebook.com to the Sandbox Domain; and, finally, an XSS vulnerability in the Facebook Sandbox Domain allowed the attacker to execute Javascript code in the context of the Sandbox Domain.
Chaining these allowed Sammouda to take over the accounts.
“We log out the user from their Facebook account, we force the login to the attacker’s Facebook account,” he explained
“At this point, the attacker’s Facebook account is stuck at the Checkpoint tool; we redirect to Google OAuth which eventually redirects us to Facebook.com with a special token and code.
The researcher added: “Facebook.com leaks the token and code to the sandbox domain and we finally exploit the XSS bug to steal the token and code from the sandbox domain.”
Coordinated disclosure
Sammouda says the reporting process was efficient and straightforward: he reported the bugs to Meta on February 16, with the company fixing the issues on March 21. He received his payout on May 14.
This isn’t Sammouda’s first bumper bounty. Indeed, he’s reported a dozen Facebook bugs with similar payouts before.
Last year, for example, he made $126,000 for discovering a set of three flaws in Facebook’s Canvas technology, with follow-up work netting him $98,000 earlier this year.
This latest payout, he says, “reflects the severity of the bug, and also how much Meta cares about the security of users accounts”.
We’ve invited Facebook to comment and will update if we hear anything further.
Full technical details can be found in Sammouda’s latest blog post.