UPDATE Popular applications Skype and Dropbox fixed holes in their websites this week that could have allowed an attacker to gain control of users’ Facebook accounts. In what’s technically being referred to as an “open direct vulnerability,” both applications failed to validate sites before sending users and their access tokens to them.
According to TechCrunch, security researcher Nir Goldshlager discovered the vulnerability and responsibly disclosed it to both Dropbox and Skype who went on to publish a fix for the flaw. Goldshlager has taken to calling the vulnerability the “Unfix bug,” since Facebook isn’t directly responsible for fixing it.
When it comes to execution, as long as an attacker knew someone who had their Facebook account connected to either Dropbox or Skype, they’d be vulnerable.
An attacker could use Facebook’s Graph API explorer to glean their ID, string together a URL comprised of that ID, a URL from Dropbox or Skype and set it up to redirect to a malicious site to grant them access to their the Facebook access token. According to Goldshlager, a Facebook access token could give an attacker access to anything the user had already granted the app to do. That includes pulling personal information from the compromised Facebook account and oftentimes the ability to post to their wall.
“The attacker merely needs to locate a site redirection issue on the developer or owner’s app domain, and that’s it. They will be able to take the access_tokens of any user on Facebook who uses that particular app,” Goldshlager wrote on his blog yesterday.
According to a statement given to Techcrunch by Facebook’s security team, the vulnerabilities, while not Facebook’s fault, stemmed from faulty Oauth authorizations in the applications’ domains.
“While not a Facebook bug, we have and will continue to work with our OAuth partners to prevent this exploit,” the company said.
The issue with Skype, according to a Microsoft spokesperson, stemmed from a problem with a partner site.
“We investigated the issue, determined it was a third party vulnerability, and worked with the necessary people to help protect customers,” according to the spokesperson.
Goldshlager, who recently founded his own Israeli-based firm, Break Security, has clearly found a niche digging up authentication bugs. It was only a few weeks ago that Facebook, where Goldshlager constantly appears on the company’s White Hat ‘Thank You’ list, fixed a separate vulnerability he found in Facebook’s OAuth authentication dialog. That flaw, like this week’s, gave him full access to users’ accounts by wrestling away their unique access tokens.
Goldshlager addresses both Facebook authentication bugs in depth on his blog, which he recently moved to Break Security.