HOTforSecurity
  • Home
  • Threats
    • Security alerts
    • Social Networks Security
    • Mobile & Gadgets Security
    • Tips and Tricks
  • Smart Home Security
  • Digital Privacy
    • Digital Identity
    • Good Practices
    • Data Breach Alerts
  • Work from Home: Safety Tips
  • The ABC of Cybersecurity
  • Security Videos
HOTforSecurity
  • Home
  • Threats
    • Security alerts
    • Social Networks Security
    • Mobile & Gadgets Security
    • Tips and Tricks
  • Smart Home Security
  • Digital Privacy
    • Digital Identity
    • Good Practices
    • Data Breach Alerts
  • Work from Home: Safety Tips
  • The ABC of Cybersecurity
  • Security Videos
HOTforSecurity
  • Home
  • Threats
    • Security alerts
    • Social Networks Security
    • Mobile & Gadgets Security
    • Tips and Tricks
  • Smart Home Security
  • Digital Privacy
    • Digital Identity
    • Good Practices
    • Data Breach Alerts
  • Work from Home: Safety Tips
  • The ABC of Cybersecurity
  • Security Videos
Alexandra GHEORGHE @alexandra_gh
1 Comment
    Share This!
  • Facebook
  • Twitter
  • Pinterest
  • LinkedIn
  • ReddIt
Alerts • Industry News

Facebook patches serious login flaw found by Bitdefender vulnerability researcher

April 26, 2016
3 Min Read

Have you tried creating a Facebook account under someone’s name and then use it to access his/her online accounts? Accounts you know that person manages on e-commerce or travel sites, so you could book a flight or order a smart TV on her behalf?

Ionut Cernica did exactly that. He helped Facebook patch a serious login vulnerability that allowed rogue users to access online accounts via Facebook’s social login functionality.

Ionut is 25, works as vulnerability researcher for Bitdefender and is sharpening his crypto skills at CTF competitions.

The impersonation attack

Social logins are an alternative to traditional authentication. They offer users a convenient way to sign in to their web accounts without entering their username and password. Most websites offer social login through Facebook, LinkedIn, Twitter or Google Plus.

By exploiting a vulnerability in Facebook’s login plugin, the Bitdefender researcher found a way to steal a user’s identity and gain full access to his web accounts. With one condition – for the attack to succeed, the email address of the victim must not be registered on Facebook.

To perform the test, he used two email accounts:

  • fbbugbounty1@gmail.com (researcher account)
  • fbbugbounty2@gmail.com (victim account)

He created a Facebook account with the victim’s email address.

Facebook patches serious Login flaw found by Bitdefender vulnerability researcher

Fig. 1 Researcher creates new Facebook account with victim email address

After signing up, he swapped the email address for one he controlled (in this case, fbbugbounty1@gmail.com ).

Facebook patches serious Login flaw found by Bitdefender vulnerability researcher

Fig. 2 Researcher changes victim email address with his own

After refreshing the page, it seemed like the victim’s email address had been validated with no extra confirmation required.

When he tried to sign in via the “Facebook Login” button – with the victim’s email address – on a third-party website, he was asked to confirm his own email address, not the victim’s. Under account settings in Facebook, the victim’s address was the primary contact, even though the researcher only confirmed his personal account (fbbugbounty1@gmail.com).

Facebook patches serious Login flaw found by Bitdefender vulnerability researcher

Fig. 3 Researcher is asked to confirm own email address

I successfully confirmed fbbugbounty1@gmail.com, but in the Settings page it looks like I never did,” Ionut says. “I used Facebook Login again and decided to switch the primary contact from the victim’s address to mine, then switch them again as to make fbbugbounty2@gmail.com (victim account) the primary account. This is an import step to reproduce the issue.

Facebook patches serious Login flaw found by Bitdefender vulnerability researcher

Fig. 4 Researcher sets victim’s email address as primary contact

On another website, he used “Facebook Login” to successfully authenticate as the victim. The site matched the email address of the victim – passed to it by Facebook – to the existing account and allowed the attacker to control the account.

The identity provider – in this case, Facebook – should wait until the email address has been verified, Ionut says.

Facebook patched the security vulnerability shortly after being notified.

Tagsbitdefender research facebook exploit facebook flaw facebook login vulnerability facebook vulnerability impersonation attack Ionut Cernica Ionut Cernica Bitdefender slider

You may also like

Alerts

Cybercriminals Are Phishing For Login Credentials of AOL Users

3 days ago
Industry News

New ObliqueRAT Malware Campaign Now Integrates Steganography, Researchers Finds

3 days ago
Industry News

Microsoft Issues Exchange Server Updates for Four 0-Day Vulnerabilities Used by Chinese Hafnium APT

4 days ago

About the author

View All Posts

Alexandra GHEORGHE

Alexandra started writing about IT at the dawn of the decade - when an iPad was an eye-injury patch, we were minus Google+ and we all had Jobs. She has since wielded her background in PR and marketing communications to translate binary code to colorful stories that have been known to wear out readers' mouse scrolls. Alexandra is also a social media enthusiast who 'likes' only what she likes and LOLs only when she laughs out loud.

1 Comment

Click here to post a comment
  • Anonymous says:
    April 27, 2016 at 2:49 pm

    I know that facebook runs a bug bounty program for the responsible disclosure of such vulnerabilities. And yet there doesn't seem to be any mention of said bug or researchers disclosure in the hall of fame.

7 million Minecraft Pocket Edition players put at risk after Lifeboat hack
Careless employees remain the biggest security threat in 2016, study shows
    Share This!
  • Facebook
  • Twitter
  • Pinterest
  • LinkedIn
  • ReddIt

Promo

1.3m
Fans
Like
▲ 11
104.8k
Followers
Follow
2.7k
Subscribers
Subscribe
18
Subscribers
subscribe
1.4m
Fans Love us

Recent shouts

  • Meurig Parri on Microsoft Ends Support for Windows 7. What You Need to Know
  • Kevin on Cable Haunt vulnerability affects millions of Broadcom cable modems
  • Terry on Ransomware attack forces Arkansas CEO to fire 300 employees days before Christmas
  • Martin on 1&1 Telecom GmbH hit by almost €10 million GDPR fine over poor security at call centre
  • Xander on 1&1 Telecom GmbH hit by almost €10 million GDPR fine over poor security at call centre

Time Machine

March 2021
M T W T F S S
1234567
891011121314
15161718192021
22232425262728
293031  
« Feb    

ANTIVIRUS SOFTWARE FOR HOME USERS

Bitdefender Cybersecurity for Smart Home
Bitdefender Complete Protection
Bitdefender PC Protection
Bitdefender Antivirus for Mac
Bitdefender Mobile Security for Android
Bitdefender Product Comparison

BUSINESS SOLUTIONS

Bitdefender GravityZone Business Security
Bitdefender GravityZone Advanced Business Security
Bitdefender GravityZone Enterprise Security
Bitdefender Hypervisor Introspection

TOOLS & RESOURCES

Renewal for Business Customers
Trial Downloads
Free Antivirus
Free Online Virus Scanner
Free Virus Removal Tools
Live Remote Assistance
Free Tools
Bug Bounty
Press Center

Powered by Bitdefender - a leading cyber security technology provider | Copyright © 2008 - 2016. All rights reserved.
  • Home
  • The Team
  • Terms and Conditions
  • Contact
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.Ok