Vulnerabilities allowed hacking in Facebook using Oculus integration
Facebookโs integration with the Oculus virtual reality headset could have opened doors for malicious attackers to hijack accounts by exploiting the latter had the social networking giant not patched the vulnerabilities.
Oculus, known best for theirย Oculus Riftย virtual reality (VR) headset, was founded in 2012. In March 2014, Facebook announced that they would acquire Oculus VR, which was later completed in July 2014. In August 2014, Facebook included Oculus Rift in its white hat bug bounty program and paid money to researchers for reporting bugs. Since then, several vulnerabilities have been found in Oculus services including a series ofย flawsย that earned a researcher $25,000.
In October 2017, Josip Franjkovic, a web security consultant, decided to examine the Oculus application for Windows, which enablesย users to connect their Facebook accounts for a more social experience by using both the native Windows Oculus application and browsers.
In his research,ย Franjkovic demonstrated how an attacker couldย hijack Facebook accounts by using specially crafted GraphQL queries to connect a victimโs Facebook account to the attackerโs Oculus account and obtain the victimโs access_token, which also has access to Facebookโs GraphQL endpoint. Using specially crafted GraphQL queries, the attacker can take control of the victimโs Facebook account and change the victimโs accountโsย phone number and then reset the accountโs password.
Franjkovic reported the vulnerability to Facebook on October 24 under the companyโs bug bounty program for which a temporary fix was done on the same day that involved disabling theย facebook_login_ssoย endpoint. Further, a permanent patch was rolled out by Facebook on October 30.
However, Franjkovic discovered a login CSRF (cross site request forgery) vulnerability a few weeks later that could have been used toย exploit bypass Facebookโs patch by redirecting the victim to an Oculus URL of the attackerโs choice.
Franjkovic reported the second flaw to Facebook on November 18 for which a temporary fix was done on the same day by again disabling thefacebook_login_ssoย endpoint. Three weeks later, a complete patch was rolled out by the company.
โThe fix was to implement a CSRF check on the /account_receivable/endpoint, AND add an additional click to confirm the link between Facebook and Oculus accounts,โย Franjkovic wrote. โI believe this properly fixes the vulnerability without degrading user experience too much.โ
While Franjkovic did not disclose how much bounty amount he earned from Facebook for discovering the vulnerabilities, but the social networking giant did reveal last week (viaย SecurityWeek) that it had ended up paying $880,000 in bug bounties in 2017 to security researchers.
You can check technical detailsย for the vulnerabilities on Franjkovicโs blog.
Source: SecurityWeek, wccftech