Full Disclosure mailing list archives
Facebook Platform Hack - Critical Access Token Vulnerabilities
From: Vulnerability Lab <research () vulnerability-lab com>
Date: Thu, 4 Oct 2018 14:45:54 +0200
Information: The vulnerability about the access token issue was already reported in december 2017 and january 2018 to the facebook security team. in the ticket communication all three researchers disclosing the issue was denied to receive a reward because the whitehat team of facebook did not see the entire risks and combined problematics. Our researchers tried to report the issues several way to protect the public people but after the tickets was slammed down without good arguments, we silently waited until the situation pops up again. We recorded videos of the zero-day issues in several app auth services and noticed serveral times the problematic without coming with facebook to a point were a solution is issued. Finally there was only one way to deal with it and this is the way on how we did it. Responsible for the disclosure of the vulnerabilities are Lawrence Amer of team vulnerability labs, S******* P**** and Nirmal Thape. Responsible for reportings to facebook and the followup communication was Lawrence Amer and Benjamin Kunz Mejri. Title: Facebook Inc via Instagram Business - Remote Access Token Vulnerability (Original Facebook Video) URL: https://www.youtube.com/watch?v=4Obsd1Qw7uU Title: Facebook Access Token Vulnerability - Retrieve Data via Instagram Business URL: https://www.youtube.com/watch?v=tdLKRky1Da4 Author: Lawrence Amer https://www.vulnerability-lab.com/show.php?user=Lawrence%20Amer The issue had several vectors and was exploitable using different functions like view as, preview and other facebook functions. Note: The access tokens are already invalidated or refreshed which does not allow attackers to get back access again. Today facebook replied is evaluating to pay the mentioned researchers for the findings. We send some friendly greetings back to facebook and as well to the us supervisory authority watching the case issue. -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Facebook Platform Hack - Critical Access Token Vulnerabilities Vulnerability Lab (Oct 04)