A security researcher won a hefty bounty for reporting multiple vulnerabilities in Facebook which triggered account takeover attacks. These bugs appear unique in that they selectively affected accounts signed up via Gmail.
Facebook Account Takeover Vulnerabilities
Recently, the security researcher Youssef Sammouda explained how he caught multiple bugs affecting Facebook. The researcher noticed that exploiting the vulnerabilities in a chained manner could allow Facebook account takeover attempts.
Briefly, the researcher first noticed the bug in the “Facebook Checkpoint” page that used Google Captcha for login attempt verification. Sammouda noticed that the page leaked parameters for any visited endpoint in the parent URL.
While Facebook has included the Captcha in a sandbox domain, it became possible for an adversary to leak the parameters via XSS. That’s what the researcher noticed – an XSS vulnerability in the sandbox domain.
Then, the other vulnerabilities included login and logout CSRF that allowed targeting the Gmail OAuth. As stated,
Gmail sends back the OAuth code/token to www.facebook.com if the user is logged in to Gmail, and since we can steal anything that is coming to www.facebook.com we can use the Google OAuth code to login to the Facebook account that has that Gmail account linked to it.
Eventually, the researcher could chain all the bugs to steal the Google OAuth code and id_token to take over the target account.
The researcher has shared the details of the bug in his post.
Facebook Patched The Flaws
According to the timelines shared, the researcher reported the vulnerabilities to Facebook in February this year. The tech giant acted quickly, acknowledging the bugs and moving on to develop patches.
Then, on March 21, 2022, Facebook fixed all the vulnerabilities alongside rewarding the researcher with a hefty $44625 bounty.
Since the patches have already been released, the tech giant has potentially secured all Facebook users from this exploit.
Let us know your thoughts in the comments.