A critical flaw has been found in Facebook’s access token authorisation mechanism.
Cyberoam’s Threat Research Labs (CTRL) found the vulnerability while investigating an ongoing Facebook spam “lady with razor-sharp axe”.
Vulnerability researchers at CTRL reveal flaw allows attackers to perform a range of malicious activities such as uploading photos and videos, posting comments, pay with Facebook, publish content, and send SMS, read mailbox, tag friends’ photos and more. With this, an attacker is able to perform nearly every task which a Facebook user can do and hence allows various malicious actions.
“Ongoing Facebook spams such as ‘lady with razor-sharp axe’ tend to store stolen Facebook access tokens on their servers for further attacks or exploits,” says Bhadresh Patel, lead vulnerability researcher at CTRL.
“This attack is not limited only to tagging or uploading of photos. Upon clicking the link, Facebook users are unwittingly handing over complete access to their Facebook account, which remains available to attackers even after an affected user logs out from Facebook account.”
Findings from CTRL identify a security vulnerability that allows cyber attackers to bypass Facebook’s Access Token Authorisation mechanism. This entitles cyber attackers to generate unauthorised yet valid access tokens. CTRL has already reported this vulnerability to Facebook and extensive investigation from CTRL would be revealed upon suitable reciprocation or release of security patch from Facebook.
CTRL suggests that users follow some guidelines to prevent themselves falling victim to the malware:
* As a Facebook user, do not get tempted to visit or click this video/link;
* Any Facebook user who has already visited this link should immediately change his Facebook account password, for this would lead to expiry of old Access Tokens; and
* Turn off “Apps you use” from App Settings in Facebook account so that no app is able to gain access token to Facebook account.