Hackers Could Have Exploited Facebook Accounts Via Oculus App

Vulnerabilities allowed hacking in Facebook using Oculus integration

Facebookโ€™s integration with the Oculus virtual reality headset could have opened doors for malicious attackers to hijack accounts by exploiting the latter had the social networking giant not patched the vulnerabilities.

Oculus, known best for theirย Oculus Riftย virtual reality (VR) headset, was founded in 2012. In March 2014, Facebook announced that they would acquire Oculus VR, which was later completed in July 2014. In August 2014, Facebook included Oculus Rift in its white hat bug bounty program and paid money to researchers for reporting bugs. Since then, several vulnerabilities have been found in Oculus services including a series ofย flawsย that earned a researcher $25,000.

In October 2017, Josip Franjkovic, a web security consultant, decided to examine the Oculus application for Windows, which enablesย users to connect their Facebook accounts for a more social experience by using both the native Windows Oculus application and browsers.

In his research,ย Franjkovic demonstrated how an attacker couldย hijack Facebook accounts by using specially crafted GraphQL queries to connect a victimโ€™s Facebook account to the attackerโ€™s Oculus account and obtain the victimโ€™s access_token, which also has access to Facebookโ€™s GraphQL endpoint. Using specially crafted GraphQL queries, the attacker can take control of the victimโ€™s Facebook account and change the victimโ€™s accountโ€™sย phone number and then reset the accountโ€™s password.

Franjkovic reported the vulnerability to Facebook on October 24 under the companyโ€™s bug bounty program for which a temporary fix was done on the same day that involved disabling theย facebook_login_ssoย endpoint. Further, a permanent patch was rolled out by Facebook on October 30.

However, Franjkovic discovered a login CSRF (cross site request forgery) vulnerability a few weeks later that could have been used toย exploit bypass Facebookโ€™s patch by redirecting the victim to an Oculus URL of the attackerโ€™s choice.

Franjkovic reported the second flaw to Facebook on November 18 for which a temporary fix was done on the same day by again disabling thefacebook_login_ssoย endpoint. Three weeks later, a complete patch was rolled out by the company.

โ€œThe fix was to implement a CSRF check on the /account_receivable/endpoint, AND add an additional click to confirm the link between Facebook and Oculus accounts,โ€ย Franjkovic wrote. โ€œI believe this properly fixes the vulnerability without degrading user experience too much.โ€

While Franjkovic did not disclose how much bounty amount he earned from Facebook for discovering the vulnerabilities, but the social networking giant did reveal last week (viaย SecurityWeek) that it had ended up paying $880,000 in bug bounties in 2017 to security researchers.

You can check technical detailsย for the vulnerabilities on Franjkovicโ€™s blog.

Source: SecurityWeek, wccftech

Subscribe to our newsletter

To be updated with all the latest news

Kavita Iyer
Kavita Iyerhttps://www.techworm.net
An individual, optimist, homemaker, foodie, a die hard cricket fan and most importantly one who believes in Being Human!!!

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Subscribe to our newsletter

To be updated with all the latest news

Read More

Suggested Post