In last week one security researcher reported a backdoor shell on Facebook Corporate server, Now researcher reported one more critical login flaw on Facebook website.
Bitdefender vulnerability researcher Ionut Cernica reported critical security flaw on Facebook Login feature, It could have been abused to impersonate users on websites where they had previously registered an account.
Nowadays social logins are an alternative to traditional authentication. They offer users a convenient way to sign in to their web accounts without entering their username and password. Most websites offer social login through Facebook, LinkedIn, Twitter or Google Plus. Bitdefender researchers found a way to steal a user’s identity and gain access to his web accounts using Facebook’s Login plugin.
How it works
For this attack to work, An attacker needed to identify an email account used by the targeted individual to sign up on a website that allows social logins. However, the condition was that the targeted email address had not been used to register a Facebook account.
According to Cernica,
The attacker could have created a Facebook account with the victim’s email address, and then swap that email address with one they controlled in the Facebook settings panel. The attacker could have used their own address for the email confirmation process and then switch them back to make the victim’s address the primary email again.
Using the Facebook account that had the targeted user’s address set as the primary email, the attacker could have used the social login feature to sign in to the account where the victim had used that email address.
Cernica published on his blog
Facebook vulnerability breaks down the convenience of social login authentication. Insufficient security validation allows attackers to impersonate Internet users and gain password-less access to any of their online accounts.
Impact of this issue
This is a serious vulnerability – it allows attackers to login on most websites that feature Facebook Login,This means an attacker can make payments on the user’s behalf on an e-commerce site, for instance.
The issue was reported to Facebook on 31 March and they informed the researcher that the vulnerability had been patched on 14th April.
Subscribe for latest security updates