Access token allows message publishing when it shouldn't

Nov 11, 2014 20:57 GMT  ·  By

Reported to Facebook at towards the end of 2013, a security bug that allowed an attacker to post comments on someone else’s timeline is allegedly still valid, more than ten months later.

Last year, researcher Vivek Bansal sent the Facebook security team a proof-of-concept demonstrating how access tokens in mobile apps without permission to post on Facebook can be used to do exactly that. An app cannot post text or share links on a user’s timeline without “publish permissions.”

The bug was still working at the beginning of the week

For bringing this bug to Facebook’s attention, Bansal received a $2,000 / €1,600 reward and he was included in the Hall of Fame of researchers who identified serious issues in the security mechanisms of the social networking platform.

However, it appears that the glitch was either resurrected through ulterior modifications, or someone forgot to apply the patch; the first variant is more likely to have happened.

Recently, Bansal launched the same script used for the initial demonstration of the bug and noticed that everything worked as if no change had occurred.

A video posted on YouTube (see below) last Tuesday showed that the security flaw was still present, and in a related Facebook post the bug hunter did not provide any clues that the security team at the social networking website took any action to plug the hole.

We asked Bansal if he tested the script at a more recent date in order to verify whether it still worked. He replied by saying that the most recent check he had done was the day before, on Monday, and the glitch was still present. On Tuesday, he ran another check, with the same result.

Attacks are simple to carry out

The recent demo video published on YouTube is short and to the point, showing that a token with only basic permissions for Facebook profile interaction could be used to drop a message on the user’s timeline, as well as their friends’.

An attack scenario would involve an app that has basic permissions for the Facebook profile, publishing being among them, and sharing text, links, images or video without the user’s knowledge.

The entire process happens in the background and there is no visible sign about anything out of the ordinary, except for the messages themselves.

It is hard to believe that Facebook paid the bounty money and rewarded the hunter with a place in the Hall of Fame but forgot to close the bug, although it is not impossible.

The most likely scenario is that they forgot to recheck the patch at a later time. Supporting this theory is the fact that Bansal received an email from Facebook at the beginning of the year informing him that the glitch had been removed and he was free to publish his findings.

Recent demonstration of the bug:

Old bug still works (4 Images)

Bug script tested on November 5
Facebook access token does not have publish permissionGlitch allows posting on friends timeline
+1more