Forgotten Facebook API Allowed Cyber-Criminals to Spy on Users
A flaw in the Facebook REST API could have allowed cyber-criminals to spy on other users based on their user ID, according to security researcher, Stephen Sclafani’s blog post.
The flaw itself was basedo the misconfiguration of an endpoint (server) that allowed REST API calls to a user’s profile ID.
“Through REST API calls it was possible to view a user’s private messages, view their private notes and drafts, view their primary email address, update their status, post links to their timeline, post as them to their friends’ or public timelines, comment as them, delete their comments, publish a note as them, edit or delete any of their notes, create a photo album for them, upload a photo for them, tag them in a photo, and like and unlike content for them,” Sclafani said.
“All of this could be done without any interaction on the part of the user.”
The researcher found one request, used to get the user’s bookmarks , that was making an API call and not a request to a dedicated bookmarks endpoint. The request was made to a nonstandard API server.
The REST API contained a set of methods that were called by Web or desktop apps, as the predecessor of today’s Facebook Graph API.
So the researcher retrieved personal account information from their Facebook accounts. Shortly after finding the REST API, the researcher sent it a GET command accompanied by the API’s methods and the user’s ID.
The API’s methods were used as specific commands to the user’s Facebook page, by showing the API what to retrieve and from what section. Sclafani also found some cross-site request forgery vulnerabilities in the Web and Desktop authentication flow.