Recently the researchers at Bitdefender has identified a Facebook bug in account registration process which indirectly led to times where attackers could hack user profiles on sites which have a Login with Facebook option.
The vulnerability could be used if an attacker discovered that a victim had an email address which he used on a regular basis, but had not registered on Facebook to create an account.
The attacker could take it upon himself to create a Facebook profile with the victim’s email address, and when Facebook would ask him to confirm his identity, he could add his own email to the account, as a secondary email address.
The attacker could then switch the primary email (victim’s address) with the secondary email (his own address), and tell Facebook he’s ready to confirm the account.
Facebook would then send the confirmation email, the attacker would verify the profile and, quickly after, switch his email address with the victim’s email address as the account’s primary identity.
Facebook would consider the account confirmed, even if only the secondary email address was actually validated, and not the first (the victim’s).
While this just seems to be a simple Facebook bug in registration process, in reality, it is not. Because of Facebook’s Social Login feature that allows users to register and log in on other sites, registering a Facebook account in someone else’s email address is dangerous.
In this particular scenario, if a victim had an account on e-commerce stores or business management portals where the Facebook Social Login feature was enabled, an attacker could have automatically logged in using the rogue-registered profile and take over a victim’s identity.
Neither Facebook nor the targeted website would be able to spot anything wrong since everything looked normal on their side. Facebook would see a validated user logging in on another site, and the target site would see one of its registered users utilizing a Facebook profile to log in without entering his password, with the email addresses for both accounts matching.
Bitdefender’s staff has informed Facebook, whose staff fixed this issue. “The identity provider – in this case, Facebook – should wait until the email address has been verified,” Ionut Cernica says, the Bitdefender specialist that discovered the issue.
1 comments:
Write commentsHello everyone I want to introduce you guys to a group a private investigators who can help you with information you need in any situation in life and they are ready to follow you step by step until your case is cleared just contact +17078685071 and you will happily ever after
ReplyPremiumhackservices@gmail.com
EmoticonEmoticon