Account Hijack with a Twist: Facebook OAuth Exploitation “Unfixable”
The advent of social networking did not change only the way people interact with each other, but also opened new challenges to authenticating a rich environment of applications to interact with the account.
Since logging into an application with your social network’s credentials is like handing your house keys to people you barely know, the Open Authorization standard has become increasingly popular. It intermediates the interaction between end-users and third-party apps without sharing username/password combinations.
Researcher Nir Goldshlager found a way to hijack the authorization tokens of all users of a specific application just by exploiting a redirect in the app vendor’s website.
Before reading further, take a look at how the OAuth framework works. If you don’t feel like reading technical documentation, here’s the rundown: The application you wish to use asks for a series of permissions to interact with your account. When you accept the interaction, Facebook offers the application an authorization token (think of it like a cookie) that is a random string providing temporary, secure access to Facebook APIs.
Exploitation of the OAuth mechanism is achieved by abusing a parameter called “redirect_uri” which would send the token to an attacker via a malicious application he controls.
“The attacker merely needs to locate a site redirection issue on the developer or owner’s app domain, and that’s it. They will be able to take the access_tokens of any user on Facebook who uses that particular app,” wrote Goldshlager on his blog. “Additionally, Facebook is powerless when it comes to fixing this issue. In fact, the developer or owner of the app needs to take responsibility for these flaws in order to avoid the potentially pernicious site redirection attacks.”
Here are a couple of things that can minimize the impact of the flaw:
- Keep your applications to an absolute minimum. Don’t authorize applications you don’t use, as you’re likely to increase the attack surface.
- Read the application’s permissions and revoke any permission you’re not comfortable with. As a rule of thumb, the fewer the permissions, the safer your account. We mentioned that the Auth token enforces the permission levels per application, so if one of your apps leaks its auth token, it had better be unable to post on your behalf or access your contacts. Your other friends will thank you.
- Use a Facebook protection application such as SafEgo to scan content posted on your wall and to assess the privacy level for your account. In case someone’s account is compromised and potentially malicious content gets on your wall, the application would flag it and prevent you from falling for scams.