Security expert Dan Melamed discovered a critical vulnerability in Facebook platform that allow an attacker to take complete control over any account.
The vulnerability is considered critical because it would allow a hacker to hack potentially any Facebook account. Dan Melamed presented the discovery on his blog. Dan demonstrated that how a hacker can reset the victim's account password just by tricking him to visit a malicious exploit code.
The flaw affects the Facebook "claim email address" component. When an user tries to add an email address already registered to Facebook platform, he has the option to "claim it". The loophole exists here, when user claim an email address, Facebook did not check from whom the request came from. This allows an email to be claimed on any Facebook account.
The exploit is possible provided that:
- An existing account having the email address that the attacker wants to claim.
- Another existing account to initiate the claim process.
Dan provided a video of proof of concept:
When user makes a claim request for an @hotmail.com email he is taken to a link that appears like this:
The researcher discovered that the parameter appdata[fbid] was the encrypted email address. Dan used the encrypted email firstname.lastname@example.org for the POC. The link will redirect user to the sign in page for Hotmail.
“You must sign in with the email address that matches the encrypted parameter. Once signed in, you are taken to a final link that looks like this:
The source code confirms that the claim email process has succeeded:
- The link expires in around 3 hours, giving plenty of time for a hacker to use it.
- It can be visited on any Facebook account because there is no check to see who made this request.
To trick the victim, hacker has just to insert the (http://evilsite.com/evilpage.html) exploit link on a webpage as either an image or an iframe.
"Once clicked, the email (in this case: email@example.com) is instantly added to their Facebook account. The victim does not receive any notification whatsoever that this email has been added. The hacker can then reset the victim's password using the newly added email address. Thus allowing the attacker to take complete control over the Facebook account."
This vulnerability has been confirmed to be patched by the Facebook Security Team, fortunately the group is very responsive as demonstrated for the fix of other recent flaws. It must be considered that the popular social networking platform is very attractive for cybercrime and many other categories of attackers, cyber security is a critical aspect for its business success.