Youssef Sammouda returns with extra Fb hacks – this time making the most of stolen Google authentication tokens to achieve entry to social media accounts
Meta has mounted a collection of bugs that might have allowed a malicious actor to take over a consumer’s Fb account, paying their finder a $44,625 bug bounty.
Safety researcher Yusuf Sammouda was capable of hijack the accounts of Fb customers who signed up utilizing a Gmail account and used the Gmail OAuth id_token/code to log into the location.
And, he tells The Day by day SwigThe identical approach may have been used on one other account: “As a result of complexity of creating such an exploit to take action, I submitted the exploit just for the situation that might end in taking Fb accounts authenticated with Google.” taken,” he says.
The Fb exploit took benefit of a collection of vulnerabilities, together with a logout CSRF bug that forces an attacker to sign off of their Fb account of their browser, and a login CSRF bug that forces an attacker to sign off of the sufferer’s browser. Permits login to Fb account.
Chaining these allowed Sammouda to deal with the accounts.
“We log the consumer out of their Fb account, we pressure them to login to the attacker’s Fb account,” he defined.
associated Recent flaws in Fb Canvas give bug bounty hunters a second pay
“At this level, the attacker’s Fb account is caught on the Checkpoint instrument; we redirect to Google OAuth which ultimately redirects us to Fb.com with a particular token and code.
The researcher mentioned: “Fb.com leaks tokens and code into the sandbox area and we ultimately exploit the XSS bug to steal the tokens and code from the sandbox area.”
Sammouda says the reporting course of was environment friendly and simple: He reported the bug to Meta on February 16, the corporate mounted the problems on March 21. He obtained his fee on 14 Could.
This isn’t the primary bumper reward of the deal. Certainly, it has reported a dozen Fb bugs with comparable funds earlier than.
Learn extra in regards to the newest InfoSec analysis information
Final 12 months, for instance, he earned $126,000 for locating a set of three flaws in Fb’s canvas expertise, with follow-up work earlier this 12 months incomes him $98,000.
This newest fee, they are saying, “exhibits the seriousness of the bug, and likewise how a lot Meta cares in regards to the safety of customers’ accounts”.
We have invited Fb to remark and can replace if we hear the rest.
Full technical particulars may be present in Sammouda’s newest weblog put up.
You may additionally like Medical physician accused of constructing Thanos ransomware builder