Egyptian security researcher Mohamed Ramadan, Security researcher with Attack Secure, has who disclosed a couple of vulnerabilities in the Facebook Main app and Facebook messenger app and Facebook page's manager application for Android.
User's access token is the key to accessing a Facebook account and according to him, an attacker only needs to send a message that contains an attachment of any type, i.e. Videos, documents, and pictures.
Once the victim will click on that file to download, immediately victim's access_token will be stored in the Android's log messages called - logcat, that enables other apps to grab user's access token and hijack the account.
Video Demonstration:
The second flaw which is reported by Ramadan, impacts the Facebook Pages Manager application for Android and similar to the first. "The vulnerability I found in the Facebook Pages Manager app is the same like the other one but to exploit it, you need to login to your Facebook account and your access token will be leaked to all apps without a need to download ANYTHING from ANYONE,".
Video Demonstration:
Ramadan also mentioned that the Facebook access_tokens don't expire, So the user should update their Facebook apps to patch the vulnerability.
He is rewarded with total $6,000 in bug bounties, for reporting above flaws to the Facebook Security Team.
He is rewarded with total $6,000 in bug bounties, for reporting above flaws to the Facebook Security Team.