Nir Goldshlager. (photos.hitb.org)
HumanIPO reported in February how Nir Goldshlager, a white hat hacker, had exploited a vulnerability, but Facebook’s security team were quick to address it, fixing by implementing some minor changes.
Goldshlager has now reported that he again used Facebook OAuth mechanism to bypass all those minor changes done by the Facebook Security Team.
Goldshlagger usesfacebook.com/l.php, a file used by Facebook to redirect users to external links, to redirect his potential victims to his Facebook application that contains malware and then to his own server so that he could store token values.
Tokens are the alternate access used to any Facebook account without password.
Goldshlagger relates that it had seemed that Facebook had already taken care of this loophole as a warning message popped up whilst redirecting, but he discovered that five bytes of data in the redirection URL is able to be used to bypass this message.
For example: https://www.facebook.com/l/goldy;touch.facebook.com/apps/sdfsdsdsgs (where 'goldy' is the 5 byte of data used).
From there, an attacker can redirect Facebook users to any server or website to run their malware.
Facebook’s Security Team have since patched this bug as soon as it was reported again by Goldshlager.