Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Facebook Platform Hack - Critical Access Token Vulnerabilities

From: Vulnerability Lab <research () vulnerability-lab com>
Date: Thu, 4 Oct 2018 14:45:54 +0200
Information: The vulnerability about the access token issue was already
reported in december 2017 and january 2018 to the facebook security
team. in the ticket communication all three researchers disclosing the
issue was denied to receive a reward because the whitehat team of
facebook did not see the entire risks and combined problematics. Our
researchers tried to report the issues several way to protect the public
people but after the tickets was slammed down without good arguments, we
silently waited until the situation pops up again. We recorded videos of
the zero-day issues in several app auth services and noticed serveral
times the problematic without coming with facebook to a point were a
solution is issued. Finally there was only one way to deal with it and
this is the way on how we did it.

Responsible for the disclosure of the vulnerabilities are Lawrence Amer
of team vulnerability labs, S******* P**** and Nirmal Thape. Responsible
for reportings to facebook and the followup communication was Lawrence
Amer and Benjamin Kunz Mejri.

Title: Facebook Inc via Instagram Business - Remote Access Token
Vulnerability (Original Facebook Video)
URL: https://www.youtube.com/watch?v=4Obsd1Qw7uU

Title: Facebook Access Token Vulnerability - Retrieve Data via Instagram
Business
URL: https://www.youtube.com/watch?v=tdLKRky1Da4

Author: Lawrence Amer
https://www.vulnerability-lab.com/show.php?user=Lawrence%20Amer

The issue had several vectors and was exploitable using different
functions like view as, preview and other facebook functions.

Note: The access tokens are already invalidated or refreshed which does
not allow attackers to get back access again. Today facebook replied is
evaluating to pay the mentioned researchers for the findings. We send
some friendly greetings back to facebook and as well to the us
supervisory authority watching the case issue.

-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: