The advent of social networking did not change only the way people interact with each other, but also opened new challenges to authenticating a rich environment of applications to interact with the account.
Since logging into an application with your social networkâ€™s credentials is like handing your house keys to people you barely know, the Open Authorization standard has become increasingly popular. It intermediates the interaction between end-users and third-party apps without sharing username/password combinations.
Researcher Nir Goldshlager found a way to hijack the authorization tokens of all users of a specific application just by exploiting a redirect in the app vendorâ€™s website.
Before reading further, take a look at how the OAuth framework works. If you donâ€™t feel like reading technical documentation, hereâ€™s the rundown: The application you wish to use asks for a series of permissions to interact with your account. When you accept the interaction, Facebook offers the application an authorization token (think of it like a cookie) that is a random string providing temporary, secure access to Facebook APIs.
Exploitation of the OAuth mechanism is achieved by abusing a parameter called â€œredirect_uriâ€ which would send the token to an attacker via a malicious application he controls.
â€œThe attacker merely needs to locate a site redirection issue on the developer or ownerâ€™s app domain, and thatâ€™s it. They will be able to take the access_tokens of any user on Facebook who uses that particular app,â€ wrote Goldshlager on his blog. â€œAdditionally, Facebook is powerless when it comes to fixing this issue. In fact, the developer or owner of the app needs to take responsibility for these flaws in order to avoid the potentially pernicious site redirection attacks.â€
Here are a couple of things that can minimize the impact of the flaw:
- Keep your applications to an absolute minimum. Donâ€™t authorize applications you donâ€™t use, as youâ€™re likely to increase the attack surface.
- Read the applicationâ€™s permissions and revoke any permission youâ€™re not comfortable with. As a rule of thumb, the fewer the permissions, the safer your account. We mentioned that the Auth token enforces the permission levels per application, so if one of your apps leaks its auth token, it had better be unable to post on your behalf or access your contacts. Your other friends will thank you.
- Use a Facebook protection application such as SafEgo to scan content posted on your wall and to assess the privacy level for your account. In case someoneâ€™s account is compromised and potentially malicious content gets on your wall, the application would flag it and prevent you from falling for scams.